Configure o Apache com certificado do RapidSSL no CentOS

De Wiki Hackstore


Descrição

Configure um ambiente com Linux CentOS + Apache + SSL


Requisitos

Instale os pacotes necessários:

yum install mod_ssl openssl httpd httpd-tools


Configuração

Após instalação dos pacotes, gere um certificado autoassinado ou adquira um certificado assinado por uma Autoridade Certificadora (AC) e configure o apache.


Certificado digital

Todos os arquivos devem ser armazenados no diretório /etc/ssl/rapidssl

CSR

Gere um arquivo CSR do certificado:

openssl req -out CSR.csr -new -newkey rsa:2048 -nodes -keyout chaveprivada.key

Após gerar os arquivos, envie para a AC o arquivo CSR.csr para que o certificado seja assinado.


ATENÇÃO: Guarde o arquivo de chave privada pois o mesmo será necessário na utilização do certificado assinado pela AC.


SSLCACertificateFile

intermediario_alphassl.crt

Crie o arquivo intermediario_alphassl.crt com o seguinte conteúdo:

-----BEGIN CERTIFICATE-----
MIIETTCCAzWgAwIBAgILBAAAAAABRE7wNjEwDQYJKoZIhvcNAQELBQAwVzELMAkG
A1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jv
b3QgQ0ExGzAZBgNVBAMTEkdsb2JhbFNpZ24gUm9vdCBDQTAeFw0xNDAyMjAxMDAw
MDBaFw0yNDAyMjAxMDAwMDBaMEwxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9i
YWxTaWduIG52LXNhMSIwIAYDVQQDExlBbHBoYVNTTCBDQSAtIFNIQTI1NiAtIEcy
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2gHs5OxzYPt+j2q3xhfj
kmQy1KwA2aIPue3ua4qGypJn2XTXXUcCPI9A1p5tFM3D2ik5pw8FCmiiZhoexLKL
dljlq10dj0CzOYvvHoN9ItDjqQAu7FPPYhmFRChMwCfLew7sEGQAEKQFzKByvkFs
MVtI5LHsuSPrVU3QfWJKpbSlpFmFxSWRpv6mCZ8GEG2PgQxkQF5zAJrgLmWYVBAA
cJjI4e00X9icxw3A1iNZRfz+VXqG7pRgIvGu0eZVRvaZxRsIdF+ssGSEj4k4HKGn
kCFPAm694GFn1PhChw8K98kEbSqpL+9Cpd/do1PbmB6B+Zpye1reTz5/olig4het
ZwIDAQABo4IBIzCCAR8wDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8C
AQAwHQYDVR0OBBYEFPXN1TwIUPlqTzq3l9pWg+Zp0mj3MEUGA1UdIAQ+MDwwOgYE
VR0gADAyMDAGCCsGAQUFBwIBFiRodHRwczovL3d3dy5hbHBoYXNzbC5jb20vcmVw
b3NpdG9yeS8wMwYDVR0fBCwwKjAooCagJIYiaHR0cDovL2NybC5nbG9iYWxzaWdu
Lm5ldC9yb290LmNybDA9BggrBgEFBQcBAQQxMC8wLQYIKwYBBQUHMAGGIWh0dHA6
Ly9vY3NwLmdsb2JhbHNpZ24uY29tL3Jvb3RyMTAfBgNVHSMEGDAWgBRge2YaRQ2X
yolQL30EzTSo//z9SzANBgkqhkiG9w0BAQsFAAOCAQEAYEBoFkfnFo3bXKFWKsv0
XJuwHqJL9csCP/gLofKnQtS3TOvjZoDzJUN4LhsXVgdSGMvRqOzm+3M+pGKMgLTS
xRJzo9P6Aji+Yz2EuJnB8br3n8NA0VgYU8Fi3a8YQn80TsVD1XGwMADH45CuP1eG
l87qDBKOInDjZqdUfy4oy9RU0LMeYmcI+Sfhy+NmuCQbiWqJRGXy2UzSWByMTsCV
odTvZy84IOgu/5ZR8LrYPZJwR2UcnnNytGAMXOLRc3bgr07i5TelRS+KIz6HxzDm
MTh89N1SyvNTBCVXVmaU6Avu5gMUTu79bZRknl7OedSyps9AsUSoPocZXun4IRZZ
Uw== 
-----END CERTIFICATE-----


root_alphassl.crt

Crie o arquivo root_alphassl.crt com o seguinte conteúdo:

-----BEGIN CERTIFICATE-----
MIIDdTCCAl2gAwIBAgILBAAAAAABFUtaw5QwDQYJKoZIhvcNAQEFBQAwVzELMAkG
A1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jv
b3QgQ0ExGzAZBgNVBAMTEkdsb2JhbFNpZ24gUm9vdCBDQTAeFw05ODA5MDExMjAw
MDBaFw0yODAxMjgxMjAwMDBaMFcxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9i
YWxTaWduIG52LXNhMRAwDgYDVQQLEwdSb290IENBMRswGQYDVQQDExJHbG9iYWxT
aWduIFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDaDuaZ
jc6j40+Kfvvxi4Mla+pIH/EqsLmVEQS98GPR4mdmzxzdzxtIK+6NiY6arymAZavp
xy0Sy6scTHAHoT0KMM0VjU/43dSMUBUc71DuxC73/OlS8pF94G3VNTCOXkNz8kHp
1Wrjsok6Vjk4bwY8iGlbKk3Fp1S4bInMm/k8yuX9ifUSPJJ4ltbcdG6TRGHRjcdG
snUOhugZitVtbNV4FpWi6cgKOOvyJBNPc1STE4U6G7weNLWLBYy5d4ux2x8gkasJ
U26Qzns3dLlwR5EiUWMWea6xrkEmCMgZK9FGqkjWZCrXgzT/LCrBbBlDSgeF59N8
9iFo7+ryUp9/k5DPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8E
BTADAQH/MB0GA1UdDgQWBBRge2YaRQ2XyolQL30EzTSo//z9SzANBgkqhkiG9w0B
AQUFAAOCAQEA1nPnfE920I2/7LqivjTFKDK1fPxsnCwrvQmeU79rXqoRSLblCKOz
yj1hTdNGCbM+w6DjY1Ub8rrvrTnhQ7k4o+YviiY776BQVvnGCv04zcQLcFGUl5gE
38NflNUVyRRBnMRddWQVDf9VMOyGj/8N7yy5Y0b2qvzfvGn9LhJIZJrglfCm7ymP
AbEVtQwdpf5pLGkkeB6zpxxxYu7KyJesF12KwvhHhm4qxFYxldBniYUr+WymXUad
DKqC5JlR3XC321Y9YeRq4VzW9v493kHMB65jUr9TU/Qr6cf9tveCX4XSQRjbgbME
HMUfpIBvFSDJ3gyICh3WZlXi/EjJKSZp4A==
-----END CERTIFICATE-----

Crie o arquivo commercial_ca.crt

cat intermediario_alphassl.crt > commercial_ca.crt
echo "" >> commercial_ca.crt
cat root_alphassl.crt >> commercial_ca.crt


SSLCertificateChainFile

Obtenha o arquivo de cadeia do certificado:

wget https://www.websecurity.symantec.com/content/dam/websitesecurity/support/digicert/rapidssl/ica/RapidSSL_RSA_CA_2018.pem

ou

wget https://www.websecurity.symantec.com/content/dam/websitesecurity/support/digicert/rapidssl/ica/RapidSSL_TLS_RSA_CA_G1.pem


Apache

Configure o arquivo /etc/httpd/conf.d/ssl.conf com o seguinte conteúdo:

LoadModule ssl_module modules/mod_ssl.so
Listen 443
SSLPassPhraseDialog  builtin
SSLSessionCache         shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout  300
SSLMutex default
SSLRandomSeed startup file:/dev/urandom  256
SSLRandomSeed connect builtin
#SSLRandomSeed startup file:/dev/random  512
#SSLRandomSeed connect file:/dev/random  512
#SSLRandomSeed connect file:/dev/urandom 512

SSLCryptoDevice builtin
#SSLCryptoDevice ubsec

<VirtualHost _default_:443>

        ServerName intranet.hackstore.com.br

        UseCanonicalName Off

        # SSL Compression (CRIME attack)
        SSLCompression off

        # Headers
        Header always set X-Frame-Options "SAMEORIGIN"
        Header always set Strict-Transport-Security "max-age=31536000; includeSubdomains; preload"
        Header always set X-XSS-Protection "1; mode=block"
        Header always set X-Content-Type-Options "nosniff"
        Header always set Referrer-Policy "strict-origin"

        SSLEngine on
        UseCanonicalName Off

        # openssl req -out CSR.csr -new -newkey rsa:2048 -nodes -keyout chaveprivada.key
        SSLCertificateFile /etc/ssl/rapidssl/rapidssl-certificado-2018.crt
        SSLCertificateKeyFile /etc/ssl/rapidssl/chaveprivada.key

        # cat intermediario_alphassl.crt > commercial_ca.crt ; echo "" >> commercial_ca.crt ; cat root_alphassl.crt >> commercial_ca.crt
        SSLCACertificateFile /etc/ssl/rapidssl/commercial_ca.crt
        SSLCACertificatePath /etc/ssl/rapidssl/

        # wget https://www.websecurity.symantec.com/content/dam/websitesecurity/support/digicert/rapidssl/ica/RapidSSL_RSA_CA_2018.pem
        #SSLCertificateChainFile /etc/ssl/rapidssl/RapidSSL_RSA_CA_2018.pem
        SSLCertificateChainFile /etc/ssl/rapidssl/RapidSSL_TLS_RSA_CA_G1.pem

        SSLProtocol all -SSLv2 -SSLv3
        SSLHonorCipherOrder on

        SSLCipherSuite "ECDHE-RSA-AES128-GCM-SHA256 \
            ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384 \
            ECDHE-ECDSA-AES256-GCM-SHA384 DHE-RSA-AES128-GCM-SHA256 \
            DHE-DSS-AES128-GCM-SHA256 kEDH+AESGCM ECDHE-RSA-AES128-SHA256 \
            ECDHE-ECDSA-AES128-SHA256 ECDHE-RSA-AES128-SHA ECDHE-ECDSA-AES128-SHA \
            ECDHE-RSA-AES256-SHA384 ECDHE-ECDSA-AES256-SHA384 ECDHE-RSA-AES256-SHA \
            ECDHE-ECDSA-AES256-SHA DHE-RSA-AES128-SHA256 DHE-RSA-AES128-SHA \
            DHE-DSS-AES128-SHA256 DHE-RSA-AES256-SHA256 DHE-DSS-AES256-SHA \
            DHE-RSA-AES256-SHA ECDHE-RSA-DES-CBC3-SHA ECDHE-ECDSA-DES-CBC3-SHA \
            AES128-GCM-SHA256 AES256-GCM-SHA384 AES128-SHA256 AES256-SHA256 \
            AES128-SHA AES256-SHA AES CAMELLIA DES-CBC3-SHA !aNULL !eNULL !EXPORT \
            !DES !RC4 !MD5 !PSK !aECDH !EDH-DSS-DES-CBC3-SHA !EDH-RSA-DES-CBC3-SHA \
            !KRB5-DES-CBC3-SHA"

        ScriptAlias /cgi-bin/ /var/www/intranet.hackstore.com.br/cgi-bin

        DocumentRoot "/var/www/html/intranet"

        <Directory "/var/www/html/intranet">
            Options FollowSymLinks
            AllowOverride All
        </Directory>

        ErrorLog /var/www/logs/ssl_intranet.hackstore.com.br-error_log
        CustomLog /var/www/logs/ssl_intranet.hackstore.com.br-access_log common



<Directory /var/www/html/>
    Options FollowSymLinks
    AllowOverride All
</Directory>

</VirtualHost>


Reinicie o apache e realize a checagem do certificado no site da Digicert:

https://www.digicert.com/help/