RHCE Series: Implementing HTTPS through TLS using Network Security Service (NSS) for Apache – Part 8

If you are a system administrator who is in charge of maintaining and securing a web server, you can’t afford to not devote your very best efforts to ensure that data served by or going through your server is protected at all times.

Setup Apache HTTPS Using SSL/TLS
RHCE Series: Implementing HTTPS through TLS using Network Security Service (NSS) for Apache – Part 8

In order to provide more secure communications between web clients and servers, the HTTPS protocol was born as a combination of HTTP and SSL (Secure Sockets Layer) or more recently, TLS (Transport Layer Security).

Due to some serious security breaches, SSL has been deprecated in favor of the more robust TLS. For that reason, in this article we will explain how to secure connections between your web server and clients using TLS.

This tutorial assumes that you have already installed and configured your Apache web server. If not, please refer to following article in this site before proceeding further.

  1. Install LAMP (Linux, MySQL/MariaDB, Apache and PHP) on RHEL/CentOS 7

Installation of OpenSSL and Utilities

First off, make sure that Apache is running and that both http and https are allowed through the firewall:

# systemctl start http
# systemctl enable http
# firewall-cmd --permanent –-add-service=http
# firewall-cmd --permanent –-add-service=https

Then install the necessary packages:

# yum update && yum install openssl mod_nss crypto-utils

Important: Please note that you can replace mod_nss with mod_ssl in the command above if you want to use OpenSSL libraries instead of NSS (Network Security Service) to implement TLS (which one to use is left entirely up to you, but we will use NSS in this article as it is more robust; for example, it supports recent cryptography standards such as PKCS #11).

Finally, uninstall mod_ssl if you chose to use mod_nss, or viceversa.

# yum remove mod_ssl

Configuring NSS (Network Security Service)

After mod_nss is installed, its default configuration file is created as /etc/httpd/conf.d/nss.conf. You should then make sure that all of the Listen and VirtualHost directives point to port 443 (default port for HTTPS):

nss.conf – Configuration File
Listen 443
VirtualHost _default_:443

Then restart Apache and check whether the mod_nss module has been loaded:

# apachectl restart
# httpd -M | grep nss
Check Mod_NSS Module in Apache
Check Mod_NSS Module Loaded in Apache

Next, the following edits should be made in /etc/httpd/conf.d/nss.conf configuration file:

1. Indicate NSS database directory. You can use the default directory or create a new one. In this tutorial we will use the default:

NSSCertificateDatabase /etc/httpd/alias

2. Avoid manual passphrase entry on each system start by saving the password to the database directory in /etc/httpd/nss-db-password.conf:

NSSPassPhraseDialog file:/etc/httpd/nss-db-password.conf

Where /etc/httpd/nss-db-password.conf contains ONLY the following line and mypassword is the password that you will set later for the NSS database:

internal:mypassword

In addition, its permissions and ownership should be set to 0640 and root:apache, respectively:

# chmod 640 /etc/httpd/nss-db-password.conf
# chgrp apache /etc/httpd/nss-db-password.conf

3. Red Hat recommends disabling SSL and all versions of TLS previous to TLSv1.0 due to the POODLE SSLv3 vulnerability (more information here).

Make sure that every instance of the NSSProtocol directive reads as follows (you are likely to find only one if you are not hosting other virtual hosts):

NSSProtocol TLSv1.0,TLSv1.1

4. Apache will refuse to restart as this is a self-signed certificate and will not recognize the issuer as valid. For this reason, in this particular case you will have to add:

NSSEnforceValidCerts off

5. Though not strictly required, it is important to set a password for the NSS database:

# certutil -W -d /etc/httpd/alias
Set Password for NSS Database
Set Password for NSS Database

Hey TecMint readers,

Exciting news! Every month, our top blog commenters will have the chance to win fantastic rewards, like free Linux eBooks such as RHCE, RHCSA, LFCS, Learn Linux, and Awk, each worth $20!

Learn more about the contest and stand a chance to win by sharing your thoughts below!

Gabriel Cánepa
Gabriel Cánepa is a GNU/Linux sysadmin and web developer from Villa Mercedes, San Luis, Argentina. He works for a worldwide leading consumer product company and takes great pleasure in using FOSS tools to increase productivity in all areas of his daily work.

Each tutorial at TecMint is created by a team of experienced Linux system administrators so that it meets our high-quality standards.

Join the TecMint Weekly Newsletter (More Than 156,129 Linux Enthusiasts Have Subscribed)
Was this article helpful? Please add a comment or buy me a coffee to show your appreciation.

11 Comments

Leave a Reply
  1. Hi Dear Gabriel,

    The first time I execute certutil -W -d /etc/httpd/alias/ it asks for a pre-stored password that I don’t have.

    It is expected that the system should ask for a new password and confirmation.

    any suggestions?

    Reply
  2. whenever I come across this step, I get the below error. I am running a VM, and tried creating 3 different VMs and loading fresh OS, but still no luck. Any help on this?

    SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED: The certificate was signed using a signature algorithm that is disabled because it is not secure.
    certutil: unable to create cert (The certificate was signed using a signature algorithm that is disabled because it is not secure.)
    =======================================

    The below output is when I run the connectivity test
    ———————
    —–END CERTIFICATE—–
    subject=/C=US/O=example.com/CN=tecmint.linuxnewz.com
    issuer=/C=US/O=example.com/CN=Certificate Shack

    No client certificate CA names sent
    Server Temp Key: ECDH, P-256, 256 bits

    SSL handshake has read 2136 bytes and written 315 bytes

    New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA
    Server public key is 2048 bit
    Secure Renegotiation IS supported
    Compression: NONE
    Expansion: NONE
    No ALPN negotiated
    SSL-Session:
    Protocol : TLSv1
    Cipher : ECDHE-RSA-AES256-SHA
    Session-ID: 064C3C977F424BBB10EAFF2AF8012D243F517B9AB8B235DC8BE4EF7C1EF81E65
    Session-ID-ctx:
    Master-Key: F99E9AE9C79952C4AB875DB2C8039F1AB3F8A93195607F6118491EBDB4EB261645B1A6E1E3F28EA81B691325D741E63E
    Key-Arg : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1526052089
    Timeout : 7200 (sec)
    Verify return code: 19 (self signed certificate in certificate chain)

    Reply
  3. Does the NSS work for keys from Letsencrypt. If yes, then how can we place the key file, as the file /etc/httpd/alias is looked for the certificate.

    Reply
  4. In the last step, this asks me for a password. I did not set any password, infact setting it now.

    # certutil -W -d /etc/httpd/alias/
    Enter Password or Pin for "NSS Certificate DB":
    Invalid password.  Try again.
    Enter Password or Pin for "NSS Certificate DB":
    

    Can you please help. I followed the steps mentioned here.

    Reply
  5. Just a quick tip, you can pass multiple services:

    # firewall-cmd –permanent –add-service={http,https}

    It does save you time during the exam.

    Reply
  6. I’m using this as a step by step recipe and ran into some problems. I’ll post them as I found them to help anyone else that ran into difficulty because of being as ignorant of what they were doing as I was.

    In the step where specifying listening ports in the nss.conf file, the Virtual host line is in gt and lt brackets, XML style. Leave the gt/lt brackets in place; do not remove them so that the line in your nss.conf file looks exactly like the line shown on this page.

    In step 5 of NSS Config, when running certutil I was prompted for a password. I tried for a couple days to get it right and it was always invalid. I discovered after trial-and-much-error that the first time through I had to just hit Enter for a blank password, then I was prompted for the new one. I then entered the password from step 2(b).

    Regarding step 2(b): It should be stated that after step 2(a) is accomplished the editor should be exited to save nss.conf, then proceed to step 2(b).

    After I created my cert my server still handed out the default cert rather than the one I’d generated. It was not stated in the instructions, but I had to go back into nss.conf, find the virutal host section, find the line that starts “NSSNickname” and replace it with the name of the cert I’d generated. In this example it was named “box1”. (ignore all quotes, in practice)

    Reply
    • @Harmon20,
      Please know how much we appreciate your involvement and your time to point this out. Thank you for sharing your findings with the rest of the community.

      Reply
      • Hi Gabriel
        Can you please add this NSSNickname to article, I didn’t check comments and like Harmon20 had to check nss.conf file to find it.

        Thanks for your great effort.

        Regards,
        Aidin

        Reply

Got Something to Say? Join the Discussion...

Thank you for taking the time to share your thoughts with us. We appreciate your decision to leave a comment and value your contribution to the discussion. It's important to note that we moderate all comments in accordance with our comment policy to ensure a respectful and constructive conversation.

Rest assured that your email address will remain private and will not be published or shared with anyone. We prioritize the privacy and security of our users.