Sign in Subscribe

Setup SSL (HTTPS) with Apache

By Waicung in SSL

How to setup HTTPS with Let's Encrypt.

Setup SSL (HTTPS) with Apache

Generate Certificate

Local Authorised

The certificate can be generated locally via the command below. While technically it is a way to implement SSL, the authority(local) is not trusted by any Browser, such that you will get a warning. Practically, I will suggest acquiring it from a CA.

sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/certs/cert.key -out

Reference

From CA (Certificate Authority)

Free certificate can be requested from Letsencrypt.
By following the instructions using Certbot. The Certificate can be generated easily.
Below is the instruction for apache in Ubuntu16.04

apt update
apt install software-properties-common
add-apt-repository ppa:certbot/certbot
apt update
apt install python-certbot-apache 
certbot --apache

certbot --apache certonly //generate the certificate

The resulting files are located in /etc/letsencrypt/live/$domain (Documentation)

Renewal

Testing renewal

certbot renew --dry-run

Renewal

certbot renew

Configure Apache

<VirtualHost *:80>
    ServerName www.domain.com
    ServerAlias domain.com

    #Force http to https, previously used
    #Redirect permanent / https://ghostblog.me/
    
    RewriteEngine on
    RewriteCond %{SERVER_NAME} = www.domain.com
    RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
  
</VirtualHost>

<VirtualHost *:443>

   ServerName www.domain.com

   #SSLEngine on
   #SSLCertificateFile /etc/letsencrypt/live/www.domain.com/cert.pem 
   #SSLCertificateKeyFile /etc/letsencrypt/live/www.domain.com/privkey.pem

   #RequestHeader set X-Forwarded-Proto "https"

   SSLCertificateFile /etc/letsencrypt/live/www.domain.com/fullchain.pem
   SSLCertificateKeyFile /etc/letsencrypt/live/www.domain.com/privkey.pem
   Include /etc/letsencrypt/options-ssl-apache.conf
   
</VirtualHost>

Apache Modules

sudo a2enmod ssl headers
sudo service apache2 restart

DNS Challenge

It can be used when automatic challenge failed.
The manual method verify Domain Ownership through DNS modification: add a TXT record.
You are required to have access to the DNS

certbot -d www.domain.com --manual --preferred-challenges dns certonly

Update Registered Email

certbot register --update-registration --email <EMAIL>

Delete Certificate

certbot delete

Firewall

make sure port 443 is open to public

'requests.packages.urllib3'

pip install --upgrade --force-reinstall 'requests==2.6.0' urllib3