Self-cert SSL on linux centos6.5 apache

Posted on 2013-12-17
Last Modified: 2013-12-17
Dear Experts,

 I am using Linux CentOS6.5 with apache VPS server with the following apache version which is reported from phpinfo() php function.

Apache/2.2.23 (Unix) mod_ssl/2.2.23 OpenSSL/1.0.0-fips mod_bwlimited/1.4 PHP/5.3.21
Question-1 from the apache version, whether it is told I have already installed mod_ssl apache module or not ? If yes, why I could not find anything in "httpd.conf" file  like as follows quotes

LoadModule ssl_module modules/
Include conf/extra/httpd-ssl.conf
Why ?

And I am doing SSL self-cert installation for CentOS and follow  this link to do it., and I could
NOT install mod_ssl modules from "yum install mod_ssl" (Error report: no package available) but I can generate the self-cert and its key by openssl command.  Now I go to visit my site with https such as that I can access the site index page but with red crossed mark and slash mark on https.

I could not find the file of either at /usr/local/apache/modules or /usr/lib64/httpd or all my directories with my root access. Why my site still works for SSL https  access even there is no any apache mod_ssl module enabled or exists ?

Question-3. How can I install mod_ssl module  if yum install mod_ssl is not working ?

More my information provided: I had used Cpanel before on my hosting company and now I've switched to VPS server and stop to use Cpanel(since Cpanel was expired)

Question by:duncanb7
  • 3
  • 3
LVL 34

Accepted Solution

gr8gonzo earned 500 total points
ID: 39724243
Apache modules can be plugged into the Apache server in two different ways:

1. "Static"


2. "Shared"

Static modules are compiled right into the server WHEN the server is built. You can't update them or change them in any way without re-compiling the Apache server.

Shared modules are compiled as separate files that end in ".so", like The shared modules can be added to or removed from Apache at any time, which makes them more FLEXIBLE than static modules.

It is very similar to a car being built with an engine and seats and a steering wheel. Those are all pieces of the car that NEED to be in there for the car to run, so they are added when the car is built, and you cannot change them easily, but they are necessary pieces. Those pieces are like the "static" modules. They just become part of the car.

Then you have a stereo or radio in your car, which is ALSO probably added into the car when it is built, but it is designed so that anyone can easily remove the stereo and replace it. This is like a "shared" module.

Any module can be either static or shared, but there are usually many modules that are defaulted to being compiled into Apache statically. Static modules have a benefit of making Apache faster because they are loaded ONCE when Apache starts. Shared modules have to be loaded each time a child process is loaded, so they are slower.

Now, for your questions:

1. The Apache signature says mod_ssl, so mod_ssl -is- enabled. It is probably compiled statically, which is why you can't find a file. If you find your httpd binary, just run it like this:

httpd -M

That should tell you a full list of what modules are loaded and which are static or shared. If they are static, then you won't have a ".so" file because the code is INSIDE Apache.

2. When you use yum to install any Apache modules, you're going to be installing the shared versions. Don't try to install a shared module if you already have the module as a static module inside Apache. That said, I usually do this on my servers (in a cron job):

yum list > /root/yum.list

Then at any time, I can just use grep to quickly search for availability inside yum like this:

grep -i "mod_ssl" /root/yum.list
grep -i "ssl" /root/yum.list

If you don't have mod_ssl for some reason, then you may not have your yum repos set up properly.

3. Apache can be set up in different ways. You don't ALWAYS have to have a separate SSL config file. The config entries can go anywhere, and sometimes people have everything in one or two big config files for maintenance or performance reasons. Try searching your configs for "SSLEngine" or "SSLCertificateFile" and you might find your config entries for SSL.

4. Unless you add the self-signed certificate as a trusted root certificate to your own computer system (the one you're using to visit / test the web site), the browser will not recognize your self-signed certificate as a valid one. It will still allow HTTPS to work, but it is trying to warn you that it doesn't recognize the certificate. When you add the certificate to your own computer as a trusted root certificate and then close and reload your browser, you shouldn't get the red X over https anymore.
LVL 13

Author Closing Comment

ID: 39724284
It is good post to reply my question exectly,

From you post, in other words, it seems I can set my self-cert SSL certificate to be trusted
SSL certificate  so that the browser won't do red-cross or red-slash mask  on https address bar. How to do it when I do openssl command ?
LVL 34

Expert Comment

ID: 39724382
1. A certificate is just a set of files that is used for encryption and decryption (and some other things, too).

2. A "certificate authority" is simply a certificate that is used to put a seal of approval on another certificate (at least that's the basic idea). A certificate authority issues other certificates.

3. Certificate authorities are handy because it allows your computer to AUTOMATICALLY trust certificates that come from any certificate authority that your computer already trusts.

For example, if you have a friend who NEVER tells a lie, then you probably trust that friend. If that friend has a baby, then you can assume that the child will become honest and trustworthy, too. This is sort of how it works with certificates.

3. Operating systems like Windows or Linux will come with a list of really well-known certificate authorities that they already trust, like VeriSign. That way, your computer will automatically trust certificates that come from VeriSign (and from any other certificate authority that your computer has in its list of trusted certificate authorities).

4. When you create a self-signed certificate, you are creating a new certificate authority that is issuing itself. It is brand-new and does not come from any known certificate authority, so there will never be ANY computer that trusts your self-signed certificate right away. As long as your computer doesn't trust your certificate, you will get that red X and warnings in your browsers.

5. You can copy the certificate to your computer and then import it as a "trusted root" certificate authority. This tells YOUR computer that your self-signed certificate is just like VeriSign and is trustworthy. Anyone else will still get the red X, but you can make YOUR computer trust that certificate.

6. You don't do anything different when you generate the certificate. You simply copy the public certificate file to your computer and import it.
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

LVL 13

Author Comment

ID: 39724683
I could save my self-sign cert into trusted cert folder on browser suggested  from
the article of Microsoft , 
and then the SSL warning page  from browser is gone when everytime I access my https site.
But the red-cross and red-slash mask on https still exists so the only way to get rid of
that is buying third-party authorized trusted certificate. Probably it is last method.
and some company's  free certificate is free but it just do encryption on  domain name and email address only  and other information is not included unless buying  his other SSL certificate package.  

So you agree what I post ?

LVL 34

Expert Comment

ID: 39724838
If the red cross and red slash mark still exists after you import the certificate, it may be that Apache is not using the right certificate. You should be able to click on the red cross/slash or somewhere nearby in the address bar and be able to see which certificate is being presented by Apache for that site.

The Apache configuration should indicate what certificate it is using to enable HTTPS, so if it's not the right certificate, then you'll just have to update the Apache configuration and restart Apache.
LVL 13

Author Comment

ID: 39724902
Probably, it is my new thread question or other question and has been posted
and thanks for all of your reply

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Sonicwall SHA issue 4 41
RHEL installation problems on HP Proliant DL 360 G6 server 20 77
How to convert SSL certificate text to .pem/.cer/.crt 6 27
DNS Forward 4 18
SSH (Secure Shell) - Tips and Tricks As you all know SSH(Secure Shell) is a network protocol, which we use to access/transfer files securely between two networked devices. SSH was actually designed as a replacement for insecure protocols that sen…
I. Introduction There's an interesting discussion going on now in an Experts Exchange Group — Attachments with no extension ( This reminded me of questions tha…
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
Connecting to an Amazon Linux EC2 Instance from Windows Using PuTTY.

820 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question