Install Let’s Encrypt SSL Certificate on CentOS 8

No? Why?

You also have a ServerAlias for your www subdomain. So changing ServerName to that same hostname doesn’t actually do anything usefull. You should keep it the way it was.

It’s very frustrating you’re redacting your hostname. Now we can’t really debug your issue.

I’m betting you forgot a hostname in your certificate, but I can’t verify that.

My orginal “hostname” was:

localhost.localdomain

And I changed it to:

127.0.0.1       www.mydomain.net    localhost

Is it bad?
Current configuration is:

$ hostnamectl
Static hostname: 127.0.0.1www.mydomain.netlocalhost
Transient hostname: localhost.localdomain
Icon name: computer-vm
Chassis: vm
Machine ID: c19908237e484187b962fc6f87384258
Boot ID: 2aa08bf512784786b249cb81fc4fd82b
Operating System: CentOS Linux 8 (Core)
CPE OS Name: cpe:/o:centos:centos:8
Kernel: Linux 4.18.0-193.14.2.el8_2.x86_64
Architecture: x86-64
$ hostname
127.0.0.1www.mydomain.netlocalhost

Is it because of hostname?
What should I my “ServerName” value?

The hostname (or hostnames, if you’ve used subdomains too) you’ve used to get your Let’s Encrypt certificate. We’re talking about website hostnames, most often used in virtual hosts in webservers. Although in “older” times the hostname of a service was equal to the hostname of the machine, in modern times those are often not equivalent any longer.

According to https://www.tecmint.com/wp-content/uploads/2020/01/Lets-Encrypt-SSL-Certification-Installation-on-Domain.jpg, in the final step I just hit ENTER.
It showed me:
1: mydomain.net
2: www.mydomain.net
I just hit Enter key.

I guess, it could help:

$ ls /etc/letsencrypt/live/
mydomain.net/ README

I changed the “hostname” and “hosts” files as below:

$ cat /etc/hostname
#localhost.localdomain
mydomain.net

And:

$ cat /etc/hosts
#127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
#::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
127.0.0.1       www.mydomain.net   mydomain.net

I’m pretty sure it didn’t actually say “mydomain.net” but your actual domain name. That is what I meant with hostname. I still have no idea what you’re trying to accomplish by editing /etc/hostname and /etc/hosts

Hello,
I’m using CentOS 8 with Apache. According to https://community.letsencrypt.org/t/howto-a-with-all-100-s-on-ssl-labs-test-using-apache2-4-read-warnings/2436, I did below steps:

# openssl dhparam -out /etc/ssl/private/dhparams.pem 4096

Then copy that file:

# cp /etc/ssl/private/dhparams.pem /etc/letsencrypt/archive/mydomain.net/

Then, added below lines into “httpd.conf”:

SSLOpenSSLConfCmd DHParameters "/etc/ssl/private/dhparams.pem"
SSLCertificateFile "/etc/letsencrypt/archive/mydomain.net/dhparams.pem"

After it, I did below command:

# openssl x509 -noout -in /etc/letsencrypt/live/mydomain.net/privkey.pem -pubkey

But I got below error:

unable to load certificate
140563944699712:error:0909006C:PEM routines:get_name:no start line:crypto/pem/pem_lib.c:745:Expecting: TRUSTED CERTIFICATE

Why? Which step is wrong?

Thank you.

You didn’t read the thread correctly. You’re inputting a private key, while the x509 program expects a certificate, just like the error message said.

Also, no offence, but if you don’t really know what you’re doing, do you think its wise to do it? For example, Public Key Pinning can leave your site unreachable if the pinned key has been changed by another. And I don’t think PKP is necessary for the 100 % score…

Also, why do you want a 100 % score anyway? You realise this would leave your site unaccessible for older clients?

And another note: “regular” Diffie-Hellman key exchange is very, very slow. It’s better to choose only elliptic curve Diffie-Hellman. Or if you really require older DH, use one of the safer pre-defined groups from RFC 7919. You can read more about it on an older version of the Mozilla Server Side TLS guide.

3 Likes

You do realize that post is almost five years old - things have changed since then.
And it wasn’t published by LetsEncrypt - it was posted by someone just like you.

OK.
How can I use the pre-defined DH groups ffdhe2048, ffdhe3072 or ffdhe4096?
100% score is not mandatory?
What is the problem of below configuration?


SSLProtocol all -TLSv1.1 -TLSv1 -SSLv2 -SSLv3
SSLCipherSuite ALL:+HIGH:!ADH:!EXP:!SSLv2:!SSLv3:!MEDIUM:!LOW:!NULL:!aNULL
SSLHonorCipherOrder on
SSLCompression          off
SSLSessionTickets       off

Yes. it is not my real domain name.
My problem is because of “hostname” or “hosts” file?

What problem exactly, because that’s still not clear to me, mainly because you’re not sharing the actual domain name.

1 Like

The MISMATCH error.
Excuse me, Why you need the real domain name?

Without it we are unable to provide you with real and accurate support.
All we can do now is guess.

As for the /etc/hosts file, you should NOT have to put/change anything in there to get, or use, a cert.

I gave you the answer to this yesterday:

Stop worrying about your SSLLabs score; none of those are going to matter until you get Apache serving the right cert. Once you get that taken care of, you can worry about cipher suite selection and such.

1 Like

Now that you mention Ciphers, I found this a bit ironic:

“I want ALL possible ciphers, and to that I want to add…”

You should have been presented with this when you opened your topic:

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

1 Like

Hi @Hack3rcon

this is a Letsencrypt forum. Not a forum about “How to configure a server”.

A lot of your questions are off-topic.

Thanks.

3 Likes

Hello,
My WordPress website is not up after I changed the values of “hostname” and “hosts” files.
My web site name is “mydomain.net” ==> It is an example.
When I installed the CentOS 8, I left the domain setting default (localhost.localdomain) and I installed and configured the LAMP and Letsencrypt. Everything worked correctly till I changed my “hostname” and “hosts” files as below:

# cat /etc/hostname
#localhost.localdomain
mydomain.net

# cat /etc/hosts
#127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
#::1         localhost localhost.localdomain localhost6 localhost6.localdomain6

"My Server IP"  mydomain.net mydomain

After it my server show me “Your connection is not private” error and I can’t browse my website.
I googled and find a page that told it is because of “localhost.key” and “localhost.crt” files. because I changed the default hostname.
I removed these files and “certbot”:

# rm /etc/pki/tls/private/localhost.key
# rm /etc/ssl/certs/localhost.crt

And after it I used below command to generate a default key:

/usr/libexec/httpd-ssl-gencerts

And:

# openssl x509 -in /etc/ssl/certs/localhost.crt -noout -subject
subject=C = US, O = Unspecified, CN = mydomain.net, emailAddress = root@mydomain.net

This command, generated “localhost” files and I want to configure my Virtual Host from start.
In “httpd.conf”:

ServerName mydomain.net

And Virtual Host file is as below:

<VirtualHost *:80>
ServerAdmin root@localhost
ServerName mydomain.net
DocumentRoot /var/www/wordpress
<Directory "/var/www/wordpress">
Options Indexes FollowSymLinks
AllowOverride all
Require all granted
</Directory>
ErrorLog /var/log/httpd/wordpress_error.log
CustomLog /var/log/httpd/wordpress_access.log common
</VirtualHost>

I installed the certbot:

# dnf install certbot python3-certbot-apache

Then:

# certbot --apache

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Enter email address (used for urgent renewal and security notices)
 (Enter 'c' to cancel): info@mydomain.net

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: A

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: mydomain.net
2: www.mydomain.net
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):   ===> "I hit Enter key"
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for mydomain.net
http-01 challenge for www.mydomain.net
Waiting for verification...
Cleaning up challenges
Created an SSL vhost at /etc/httpd/conf.d/wp-le-ssl.conf
Deploying Certificate to VirtualHost /etc/httpd/conf.d/wp-le-ssl.conf
Deploying Certificate to VirtualHost /etc/httpd/conf.d/wp-le-ssl.conf
Redirecting vhost in /etc/httpd/conf.d/wp.conf to ssl vhost in /etc/httpd/conf.d/wp-le-ssl.conf

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled https://mydomain.net and
https://www.mydomain.net
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Subscribe to the EFF mailing list (email: info@mydomain.net).

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/mydomain.net/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/mydomain.net/privkey.pem
   Your cert will expire on 2020-12-02. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot again
   with the "certonly" option. To non-interactively renew *all* of
   your certificates, run "certbot renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

 - We were unable to subscribe you the EFF mailing list because your
   e-mail address appears to be invalid. You can try again later by
   visiting https://act.eff.org.

After it:

# systemctl restart httpd
# apachectl configtest
Syntax OK

And my Virtual Host config file became to:

<VirtualHost *:80>
ServerAdmin root@localhost
ServerName mydomain.net
ServerAlias www.mydomain.net
DocumentRoot /var/www/wordpress
<Directory "/var/www/wordpress">
Options Indexes FollowSymLinks
AllowOverride all
Require all granted
</Directory>
ErrorLog /var/log/httpd/wordpress_error.log
CustomLog /var/log/httpd/wordpress_access.log common
RewriteEngine on
RewriteCond %{SERVER_NAME} =www.mydomain.net [OR]
RewriteCond %{SERVER_NAME} =mydomain.net
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

When I browse my website then:


Apache log tell me:

]# cat /var/log/httpd/error_log
[Thu Sep 03 19:28:36.973820 2020] [mpm_event:notice] [pid 456658:tid 140461237471552] AH00493: SIGUSR1 received.  Doing graceful restart
[Thu Sep 03 19:28:37.085905 2020] [lbmethod_heartbeat:notice] [pid 456658:tid 140461237471552] AH02282: No slotmem from mod_heartmonitor
[Thu Sep 03 19:28:37.091499 2020] [mpm_event:notice] [pid 456658:tid 140461237471552] AH00489: Apache/2.4.37 (centos) OpenSSL/1.1.1c mod_fcgid/2.3.9 configured -- resuming normal operations
[Thu Sep 03 19:28:37.091551 2020] [core:notice] [pid 456658:tid 140461237471552] AH00094: Command line: '/usr/sbin/httpd -D FOREGROUND'
[Thu Sep 03 19:28:43.011100 2020] [mpm_event:notice] [pid 456658:tid 140461237471552] AH00493: SIGUSR1 received.  Doing graceful restart
[Thu Sep 03 19:28:43.124229 2020] [lbmethod_heartbeat:notice] [pid 456658:tid 140461237471552] AH02282: No slotmem from mod_heartmonitor
[Thu Sep 03 19:28:43.129813 2020] [mpm_event:notice] [pid 456658:tid 140461237471552] AH00489: Apache/2.4.37 (centos) OpenSSL/1.1.1c mod_fcgid/2.3.9 configured -- resuming normal operations
[Thu Sep 03 19:28:43.129865 2020] [core:notice] [pid 456658:tid 140461237471552] AH00094: Command line: '/usr/sbin/httpd -D FOREGROUND'
[Thu Sep 03 19:28:46.669732 2020] [mpm_event:notice] [pid 456658:tid 140461237471552] AH00493: SIGUSR1 received.  Doing graceful restart
[Thu Sep 03 19:28:46.778790 2020] [lbmethod_heartbeat:notice] [pid 456658:tid 140461237471552] AH02282: No slotmem from mod_heartmonitor
[Thu Sep 03 19:28:46.783707 2020] [mpm_event:notice] [pid 456658:tid 140461237471552] AH00489: Apache/2.4.37 (centos) OpenSSL/1.1.1c mod_fcgid/2.3.9 configured -- resuming normal operations
[Thu Sep 03 19:28:46.783746 2020] [core:notice] [pid 456658:tid 140461237471552] AH00094: Command line: '/usr/sbin/httpd -D FOREGROUND'
[Thu Sep 03 19:28:47.058568 2020] [mpm_event:notice] [pid 456658:tid 140461237471552] AH00493: SIGUSR1 received.  Doing graceful restart
[Thu Sep 03 19:28:47.166532 2020] [lbmethod_heartbeat:notice] [pid 456658:tid 140461237471552] AH02282: No slotmem from mod_heartmonitor
[Thu Sep 03 19:28:47.171438 2020] [mpm_event:notice] [pid 456658:tid 140461237471552] AH00489: Apache/2.4.37 (centos) OpenSSL/1.1.1c mod_fcgid/2.3.9 configured -- resuming normal operations
[Thu Sep 03 19:28:47.171485 2020] [core:notice] [pid 456658:tid 140461237471552] AH00094: Command line: '/usr/sbin/httpd -D FOREGROUND'
[Thu Sep 03 19:30:51.127973 2020] [mpm_event:notice] [pid 456658:tid 140461237471552] AH00492: caught SIGWINCH, shutting down gracefully
[Thu Sep 03 19:30:52.325040 2020] [core:notice] [pid 460651:tid 140567023769920] SELinux policy enabled; httpd running as context system_u:system_r:httpd_t:s0
[Thu Sep 03 19:30:52.327359 2020] [suexec:notice] [pid 460651:tid 140567023769920] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Thu Sep 03 19:30:52.330126 2020] [:notice] [pid 460651:tid 140567023769920] ModSecurity for Apache/2.9.2 (http://www.modsecurity.org/) configured.
[Thu Sep 03 19:30:52.330164 2020] [:notice] [pid 460651:tid 140567023769920] ModSecurity: APR compiled version="1.6.3"; loaded version="1.6.3"
[Thu Sep 03 19:30:52.330173 2020] [:notice] [pid 460651:tid 140567023769920] ModSecurity: PCRE compiled version="8.42 "; loaded version="8.42 2018-03-20"
[Thu Sep 03 19:30:52.330186 2020] [:notice] [pid 460651:tid 140567023769920] ModSecurity: LUA compiled version="Lua 5.3"
[Thu Sep 03 19:30:52.330191 2020] [:notice] [pid 460651:tid 140567023769920] ModSecurity: YAJL compiled version="2.1.0"
[Thu Sep 03 19:30:52.330196 2020] [:notice] [pid 460651:tid 140567023769920] ModSecurity: LIBXML compiled version="2.9.7"
[Thu Sep 03 19:30:52.330201 2020] [:notice] [pid 460651:tid 140567023769920] ModSecurity: Status engine is currently disabled, enable it by set SecStatusEngine to On.
[Thu Sep 03 19:30:52.387610 2020] [lbmethod_heartbeat:notice] [pid 460651:tid 140567023769920] AH02282: No slotmem from mod_heartmonitor
[Thu Sep 03 19:30:52.396738 2020] [mpm_event:notice] [pid 460651:tid 140567023769920] AH00489: Apache/2.4.37 (centos) OpenSSL/1.1.1c mod_fcgid/2.3.9 configured -- resuming normal operations
[Thu Sep 03 19:30:52.396802 2020] [core:notice] [pid 460651:tid 140567023769920] AH00094: Command line: '/usr/sbin/httpd -D FOREGROUND'

What is my mistake? How can I solve it?

Thank you.

What’s your domain name?
Why would you enter your IP into hosts file instead of using public DNS?
What’s the complete Apache configuration?

Public DNS? How?
Apache configuration is:

#
# ServerRoot: The top of the directory tree under which the server's
# configuration, error, and log files are kept.
#
# Do not add a slash at the end of the directory path.  If you point
# ServerRoot at a non-local disk, be sure to specify a local disk on the
# Mutex directive, if file-based mutexes are used.  If you wish to share the
# same ServerRoot for multiple httpd daemons, you will need to change at
# least PidFile.
#
ServerRoot "/etc/httpd"
ServerName mydomain.net
#
# Listen: Allows you to bind Apache to specific IP addresses and/or
# ports, instead of the default. See also the <VirtualHost>
# directive.
#
# Change this to Listen on specific IP addresses as shown below to
# prevent Apache from glomming onto all bound IP addresses.
#
#Listen 12.34.56.78:80
Listen 80


Include conf.modules.d/*.conf

User apache
Group apache

ServerAdmin root@localhost

#
# Deny access to the entirety of your server's filesystem. You must
# explicitly permit access to web content directories in other
# <Directory> blocks below.
#
<Directory />
    AllowOverride none
    Require all denied
</Directory>

DocumentRoot "/var/www/html"

#
# Relax access to content within /var/www.
#
<Directory "/var/www">
    AllowOverride None
    # Allow open access:
    Require all granted
</Directory>

# Further relax access to the default document root:
<Directory "/var/www/html">
    #
    # Possible values for the Options directive are "None", "All",
    # or any combination of:
    #   Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
    #
    # Note that "MultiViews" must be named *explicitly* --- "Options All"
    # doesn't give it to you.
    #
    # The Options directive is both complicated and important.  Please see
    # http://httpd.apache.org/docs/2.4/mod/core.html#options
    # for more information.
    #
    # Options Indexes FollowSymLinks

    Options FollowSymLinks
    #
    # AllowOverride controls what directives may be placed in .htaccess files.
    # It can be "All", "None", or any combination of the keywords:
    #   Options FileInfo AuthConfig Limit
    #
    AllowOverride None

    #
    # Controls who can get stuff from this server.
    #
    Require all granted
</Directory>

#
# DirectoryIndex: sets the file that Apache will serve if a directory
# is requested.
#
<IfModule dir_module>
    DirectoryIndex index.html index.php
</IfModule>

#
# The following lines prevent .htaccess and .htpasswd files from being
# viewed by Web clients.
#
<Files ".ht*">
    Require all denied
</Files>

#
# ErrorLog: The location of the error log file.
# If you do not specify an ErrorLog directive within a <VirtualHost>
# container, error messages relating to that virtual host will be
# logged here.  If you *do* define an error logfile for a <VirtualHost>
# container, that host's errors will be logged there and not here.
#
ErrorLog "logs/error_log"

#
# LogLevel: Control the number of messages logged to the error_log.
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
#
LogLevel warn

<IfModule log_config_module>
    #
    # The following directives define some format nicknames for use with
    # a CustomLog directive (see below).
    #
    LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
    LogFormat "%h %l %u %t \"%r\" %>s %b" common

    <IfModule logio_module>
      # You need to enable mod_logio.c to use %I and %O
      LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
    </IfModule>

    #
    # The location and format of the access logfile (Common Logfile Format).
    # If you do not define any access logfiles within a <VirtualHost>
    # container, they will be logged here.  Contrariwise, if you *do*
    # define per-<VirtualHost> access logfiles, transactions will be
    # logged therein and *not* in this file.
    #
    #CustomLog "logs/access_log" common

    #
    # If you prefer a logfile with access, agent, and referer information
    # (Combined Logfile Format) you can use the following directive.
    #
    CustomLog "logs/access_log" combined
</IfModule>

<IfModule alias_module>
    #
    # Redirect: Allows you to tell clients about documents that used to
    # exist in your server's namespace, but do not anymore. The client
    # will make a new request for the document at its new location.
    # Example:
    # Redirect permanent /foo http://www.example.com/bar

    #
    # Alias: Maps web paths into filesystem paths and is used to
    # access content that does not live under the DocumentRoot.
    # Example:
    # Alias /webpath /full/filesystem/path
    #
    # If you include a trailing / on /webpath then the server will
    # require it to be present in the URL.  You will also likely
    # need to provide a <Directory> section to allow access to
    # the filesystem path.

    #
    # ScriptAlias: This controls which directories contain server scripts.
    # ScriptAliases are essentially the same as Aliases, except that
    # documents in the target directory are treated as applications and
    # run by the server when requested rather than as documents sent to the
    # client.  The same rules about trailing "/" apply to ScriptAlias
    # directives as to Alias.
    #
    ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"

</IfModule>

#
# "/var/www/cgi-bin" should be changed to whatever your ScriptAliased
# CGI directory exists, if you have that configured.
#
<Directory "/var/www/cgi-bin">
    AllowOverride None
    Options None
    Require all granted
</Directory>

<IfModule mime_module>
    #
    # TypesConfig points to the file containing the list of mappings from
    # filename extension to MIME-type.
    #
    TypesConfig /etc/mime.types

    #
    # AddType allows you to add to or override the MIME configuration
    # file specified in TypesConfig for specific file types.
    #
    #AddType application/x-gzip .tgz
    #
    # AddEncoding allows you to have certain browsers uncompress
    # information on the fly. Note: Not all browsers support this.
    #
    #AddEncoding x-compress .Z
    #AddEncoding x-gzip .gz .tgz
    #
    # If the AddEncoding directives above are commented-out, then you
    # probably should define those extensions to indicate media types:
    #
    AddType application/x-compress .Z
    AddType application/x-gzip .gz .tgz

    #
    # AddHandler allows you to map certain file extensions to "handlers":
    # actions unrelated to filetype. These can be either built into the server
    # or added with the Action directive (see below)
    #
    # To use CGI scripts outside of ScriptAliased directories:
    # (You will also need to add "ExecCGI" to the "Options" directive.)
    #
    #AddHandler cgi-script .cgi

    # For type maps (negotiated resources):
    #AddHandler type-map var

    #
    # Filters allow you to process content before it is sent to the client.
    #
    # To parse .shtml files for server-side includes (SSI):
    # (You will also need to add "Includes" to the "Options" directive.)
    #
    AddType text/html .shtml
    AddOutputFilter INCLUDES .shtml
</IfModule>

#
# Specify a default charset for all content served; this enables
# interpretation of all content as UTF-8 by default.  To use the
# default browser choice (ISO-8859-1), or to allow the META tags
# in HTML content to override this choice, comment out this
# directive:
#
AddDefaultCharset UTF-8

<IfModule mime_magic_module>
    #
    # The mod_mime_magic module allows the server to use various hints from the
    # contents of the file itself to determine its type.  The MIMEMagicFile
    # directive tells the module where the hint definitions are located.
    #
    MIMEMagicFile conf/magic
</IfModule>

#
# Customizable error responses come in three flavors:
# 1) plain text 2) local redirects 3) external redirects
#
# Some examples:
#ErrorDocument 500 "The server made a boo boo."
#ErrorDocument 404 /missing.html
#ErrorDocument 404 "/cgi-bin/missing_handler.pl"
#ErrorDocument 402 http://www.example.com/subscription_info.html
#

#
# EnableMMAP and EnableSendfile: On systems that support it,
# memory-mapping or the sendfile syscall may be used to deliver
# files.  This usually improves server performance, but must
# be turned off when serving from networked-mounted
# filesystems or if support for these functions is otherwise
# broken on your system.
# Defaults if commented: EnableMMAP On, EnableSendfile Off
#
#EnableMMAP off
EnableSendfile on

# Supplemental configuration
#
# Load config files in the "/etc/httpd/conf.d" directory, if any.
IncludeOptional conf.d/*.conf


#Security
TraceEnable off
ServerSignature Off
ServerTokens Prod

SSLProtocol all -TLSv1.1 -TLSv1 -SSLv2 -SSLv3
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
SSLHonorCipherOrder on
SSLCompression          off
SSLSessionTickets       off



TimeOut 60
Header always append X-Frame-Options SAMEORIGIN
Header set X-XSS-Protection "1; mode=block"
Header set X-Content-Type-Options nosniff
ErrorDocument 500 "Oh sorry dear."

FileETag MTime
KeepAlive On
MaxKeepAliveRequests 100
MaxConnectionsPerChild 1000
UseCanonicalName Off
LimitInternalRecursion 5
LimitRequestFields 500
AcceptPathInfo Off
MaxRanges 100
KeepAliveTimeout 4


# Modules
LoadModule reqtimeout_module modules/mod_reqtimeout.so
LoadModule headers_module modules/mod_headers.so
RequestReadTimeout header=20-600,MinRate=500 body=20,MinRate=500

Result is: