How to set up https (SSL) on a Centos environment - AXS2LMS How to set up https (SSL) on a Centos environment - AXS2LMS

How to set up https (SSL) on a Centos environment

AXS2LMS hosted on Private Cloud Server

There are three major cases when setting up an SSL certificate for your system, depending on your requirements. These are:

  • Having a single domain name without any branches. e.g: axs2lms.example.com
  • Having a few specific domain names for branches. e.g: alpha.axs2lms.example.com, beta.axs2lms.example.com, gamma.axs2lms.example.com
  • Having any number of domain names. e.g: *.axs2lms.example.com

For the first case, you may either issue a certificate at your own expense at some commercial provider or AXS2LMS support team may issue a let’s encrypt certificate for you, which is also the default action for new AXS2LMS customers.

Regarding the second and third case, you necessarily need to issue a certificate at your own expense to whatever provider (Certificate Authority, CA) you prefer.

In any case, if you need to issue a certificate in some commercial provider you will need an CSR file to do so. Contact our support team to send you the necessary CSR file but in order for AXS2LMS support team to produce such a file, the following information is required.

  • Domain names (πχ axs2lms.example.com ή *.axs2lms.example.com)
  • Email
  • Organization name
  • Organizational unit (optional)
  • City
  • State or Province
  • Country

So, please include the above information in your request towards our support team.

Once you have done so, we will be able to send you the CSR file, so you may proceed with issuing your certificate.

 

AXS2LMS hosted on your server

If you host AXS2LMS on your own server, then there are two major ways to set up an SSL certificate. Those are:

  • Producing an SSL certificate with a CSR file
  • Producing an SSL certificate with a PFX file

Note!: The following commands require advanced permissions so it will be useful if you would perform the following process as a superuser. (on a linux based command line type

sudo -s

SSL certificate with a CSR file

The steps you need to take in order to produce an SSL certificate with a CSR file are the following:

  1. From the command line type the following command
    openssl req -new -newkey rsa:2048 -nodes -keyout <sitename>.key -out <sitename>.csr

    During this step, you will be asked to provide information such as Country, State or Province etc. The result of the above command is a private key .key file, which will be used in the next step

  2. Use the .csr produced by the previous steps to issue your certificate with the CA provider of your choice. Once your provider completes the process you will get back two files (a certificate and a chain file).
  3. Create a new directory in your file system to store the certificate files.
    mkdir /var/www/vhosts/certs

    Notice!!! You may use some other path for the above directory.

  4. Move the .key file produced in step 1 to the directory certs
    mv <sitename>.key /var/www/vhosts/certs
  5. Move the certificate and chain files (from step 2) to the folder certs
    mv <sitename>.crt /var/www/vhosts/certs
    mv <sitename>_ca.crt /var/www/vhosts/certs
  6. Change the permissions of the certs directory and its files as following
    chmod -R 400 /var/www/vhosts/certs
  7. Change the ownership of the certs directory and its files as following
    chown -R root:root /var/www/vhosts/certs
  8. Install mod_ssl for your Apache server
    yum install mod_ssl
  9. Modify your vhosts file as following
    <VirtualHost <ip_address>:443>
       ServerName <sitename>
       DocumentRoot "/var/www/vhosts/<efront-directory>/"
    
       SSLEngine on
       SSLProtocol -ALL -SSLv3 +TLSv1
       SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:!MEDIUM:!LOW:!SSLv2:!EXPORT
       SSLCertificateFile /var/www/vhosts/certs/<sitename>.crt
       SSLCertificateKeyFile  /var/www/vhosts/certs/<sitename>.key
       SSLCertificateChainFile /var/www/vhosts/certs/<sitename>_ca.crt
    
       <Directory "/var/www/vhosts/<efront-directory>/">
          AllowOverride All
       </Directory>
    </VirtualHost>
  10. If you would like your domain name to only support https access add the following lines to your hosts file
    <VirtualHost <ip_address>:80>
       ServerName <sitename>
       DocumentRoot "/var/www/vhosts/<efront-directory>/"
                     
       <Directory "/var/www/vhosts/<efront-directory>/">
          AllowOverride All
       </Directory>
          
       RewriteEngine on
       ReWriteCond %{SERVER_PORT} !^443$
       RewriteRule ^/(.*) https://%{HTTP_HOST}/$1 [NC,R,L]
    </VirtualHost>
  11. Modify your firewall settings (/root/myfirewall) to allow incoming connections to port 443
  12. After modifying your firewall settings do not forget to “run” your firewall settings again
    ./myfirewall
  13. Make sure the the file /etc/httpd/conf/httpd.conf contains the following line, and if not add it
    NameVirtualHost *:443
  14. Edit the file /etc/sysconfig/httpd and add the following line
    export OPENSSL_NO_DEFAULT_ZLIB=1
  15. Restart your apache server|

SSL certificate with a PFX file

The steps you need to take in order to produce an SSL certificate with a PFX file are the following:

  1.  Create a new directory in your file system to store the certificate files.
    mkdir /var/www/vhosts/certs

    Notice!!! You may use some other path for the above directory.

  2. Run the following command
    openssl pkcs12 -in <sitename>.pfx -clcerts -nokeys -out <sitename>.crt
  3. Run the following command
    openssl pkcs12 -in <sitename>.pfx -nocerts -nodes  -out <sitename>.key
  4. Run the following command
    openssl pkcs12 -in <sitename>.pfx -out <sitename>-ca.crt -nodes -nokeys -cacerts
    
    

    Notice!!! If this step produces an empty file do not include it in your .conf file

  5. Continue with the process described in the section “SSL certificate with a CSR file” starting from step 6

Powered by BetterDocs