Overview
This document describes how to install an SSL certificate on an Apache server.
Note:
The certificate name cloud.tencent.com is used as an example.
The Apache/2.4.6 version is used as an example. The default port is 80. You can download it from the Apache official website. If you need to use another version, contact us. The current server OS is CentOS 7. Detailed steps vary slightly by OS.
Before you install an SSL certificate, enable port 443 on the Apache server so that HTTPS can be enabled after the certificate is installed. For more information, see How Do I Enable Port 443 for a VM?. Prerequisites
A remote file copy tool such as WinSCP has been installed. Please download the latest version from the official website.
We recommend that you use CVM's file upload feature for deployment to CVM.
Install the remote login tool such as PuTTY or Xshell. The latest official version is recommended.
Install the Apache service on the current server.
The data required to install the SSL certificate includes the following:
|
Server IP address | IP address of the server, which is used to connect the PC to the server. |
Username | The username used to log in to the server. |
Password | The password used to log in to the server. |
Note:
For a CVM instance purchased on the Tencent Cloud official website, log in to the CVM console to get the server IP address, username, and password. Directions
Installing the certificate
2. In the pop-up window, select Apache for the server type, click Download, and decompress the cloud.tencent.com certificate file package to the local directory.
After decompression, you can get the certificate file of the corresponding type, which includes the cloud.tencent.com_apache folder.
Folder: cloud.tencent.com_apache
Files in the folder:
root_bundle.crt: certificate file
cloud.tencent.com.crt: certificate file
cloud.tencent.com.key: Private key file
CSR file:cloud.tencent.com.csr file
Note:
You can upload the CSR file when applying for a certificate or have it generated online by the system. It is provided to the CA and irrelevant to the installation.
3. Log in to the Apache server using WinSCP (a tool copying files between a local computer and a remote computer).
Note:
We recommend that you use CVM's file upload feature for deployment to CVM.
4. Copy the obtained certificate files root_bundle.crt and cloud.tencent.com.crt and the private key file cloud.tencent.com.key from the local directory to the /etc/httpd/ssl directory of the Apache server.
Note:
If the /etc/httpd/ssl directory does not exist, run the mkdir /etc/httpd/ssl command to create it.
5. Log in to the Apache server remotely by using a login tool such as PuTTY. Note:
For a newly installed Apache server, the conf.d, conf, and conf.modules.d directories are under the /etc/httpd directory by default.
6. In the httpd.conf configuration file under /etc/httpd/conf, find the Include conf.modules.d/*.conf configuration statement (for loading the SSL configuration directory) and check whether it is commented out. If so, remove the comment symbol (#) from the first line and save the configuration file.
7. In the 00-ssl.conf configuration file under /etc/httpd/conf.modules.d, find the LoadModule ssl_module modules/mod_ssl.so configuration statement (for loading the SSL module) and check whether it is commented out. If so, remove the comment symbol (#) from the first line and save the configuration file.
Note:
The directory structure varies by OS version. Find files in accordance with the actual OS version.
If LoadModule ssl_module modules/mod_ssl.so and Include conf.modules.d/*.conf configuration statements cannot be found in the configuration files above, check whether the mod_ssl.so module has been installed, and if not, run the yum install mod_ssl command to install it.
8. Edit the ssl.conf configuration file in the /etc/httpd/conf.d directory by modifying the following:
<VirtualHost 0.0.0.0:443>
DocumentRoot "/var/www/html"
# Enter the certificate name
ServerName cloud.tencent.com
# Enable SSL
SSLEngine on
# Path of the certificate file
SSLCertificateFile /etc/httpd/ssl/cloud.tencent.com.crt
# Path of the private key file
SSLCertificateKeyFile /etc/httpd/ssl/cloud.tencent.com.key
# Path of the certificate chain file
SSLCertificateChainFile /etc/httpd/ssl/root_bundle.crt
</VirtualHost>
9. Restart the Apache server and then you can access it through https://cloud.tencent.com.
If the security lock icon is displayed in the browser, the certificate has been installed successfully.
In case of a website access exception, troubleshoot the issue by referring to the following FAQs:
(Optional) Security configuration for automatic redirect from HTTP to HTTPS
To redirect HTTP requests to HTTPS, complete the following settings:
1. Edit the httpd.conf configuration file in the /etc/httpd/conf directory.
Note:
The httpd.conf configuration file is located in more than one directory. You can filter them by /etc/httpd/*.
2. Check whether LoadModule rewrite_module modules/mod_rewrite.so is in it.
If so, remove the comment symbol (#) in front of LoadModule rewrite_module modules/mod_rewrite.so and proceed to step 4. 3. Creat
e a *.conf file such as 00-rewrite.conf in /etc/httpd/conf.modules.d and add the following content to it: LoadModule rewrite_module modules/mod_rewrite.so
4. Add the follo
wing to the httpd.conf configuration file: <Directory "/var/www/html">
RewriteEngine on
RewriteCond %{SERVER_PORT} !^443$
RewriteRule ^(.*)?$ https://%{SERVER_NAME}%{REQUEST_URI} [L,R]
</Directory>
5. Restart the Apache server and then you can access it through http://cloud.tencent.com.
Note:
If anything goes wrong during this process, contact us.