Setup SSL (HTTPS) with Apache
Generate Certificate
Local Authorised
The certificate can be generated locally via the command below. While technically it is a way to implement SSL, the authority(local) is not trusted by any Browser, such that you will get a warning. Practically, I will suggest acquiring it from a CA.
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/certs/cert.key -out
From CA (Certificate Authority)
Free certificate can be requested from Letsencrypt.
By following the instructions using Certbot. The Certificate can be generated easily.
Below is the instruction for apache in Ubuntu16.04
apt update
apt install software-properties-common
add-apt-repository ppa:certbot/certbot
apt update
apt install python-certbot-apache
certbot --apache
certbot --apache certonly //generate the certificate
The resulting files are located in /etc/letsencrypt/live/$domain (Documentation)
Renewal
Testing renewal
certbot renew --dry-run
Renewal
certbot renew
Configure Apache
<VirtualHost *:80>
ServerName www.domain.com
ServerAlias domain.com
#Force http to https, previously used
#Redirect permanent / https://ghostblog.me/
RewriteEngine on
RewriteCond %{SERVER_NAME} = www.domain.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
<VirtualHost *:443>
ServerName www.domain.com
#SSLEngine on
#SSLCertificateFile /etc/letsencrypt/live/www.domain.com/cert.pem
#SSLCertificateKeyFile /etc/letsencrypt/live/www.domain.com/privkey.pem
#RequestHeader set X-Forwarded-Proto "https"
SSLCertificateFile /etc/letsencrypt/live/www.domain.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/www.domain.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
Apache Modules
sudo a2enmod ssl headers
sudo service apache2 restart
DNS Challenge
It can be used when automatic challenge failed.
The manual method verify Domain Ownership through DNS modification: add a TXT record.
You are required to have access to the DNS
certbot -d www.domain.com --manual --preferred-challenges dns certonly
Update Registered Email
certbot register --update-registration --email <EMAIL>
Delete Certificate
certbot delete
Firewall
make sure port 443 is open to public
'requests.packages.urllib3'
pip install --upgrade --force-reinstall 'requests==2.6.0' urllib3