Monday, 6 May 2019

Create and install an SSL certificate in Apache

Lets create a SSL encrypted website using apache.

Prequisites:
A working unsecured website on port 80
If your server is behind a firewall you will need to open/forward port 443
A publicly accessible FQDN is configured for the site.

Enable ssl on apache;
sudo a2ensite default-ssl.conf

Installing certbot;
sudo apt install certbot python-certbot-apache

Use certbot to create a free certificate;
sudo certbot --apache certonly

Follow the prompts, they are self explanatory.
Note: This will break if the certbot cannot resolve your domain name properly. I have used the --certonly flag to stop certbot from editing apache configs because I prefer to do it myself. Apparently if you drop that flag you can skip the next step.

Once you are done you should have a shiny new certificate in /etc/letsencrypt/live/www.example.com/

Now, if you did not allow certbot to modify your apache configs you will need tell apache to use your new certificate.

Edit the file that contains the virtualhost configuration for your web site. The virtualhost section should look like this;

        ServerName www.example.com
        ServerAdmin brettg@tuxnetworks.com
        DocumentRoot /var/www/html

        (...)


Modify it to look like this;

        ServerName www.example.com
        ServerAdmin admin@example.com
        DocumentRoot /var/www/html
        SSLEngine on
        SSLCertificateFile /etc/letsencrypt/live/www.example.com/fullchain.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/www.example.com/privkey.pem
  
        (...)



Restart your apache server and you should now be able to browse your site using https.

Note: If you want your site to work in both encrypted (SSL) mode as well as unsecured mode then when you are modifying the virtualhost config in apache copy that entire section to the end of the file and make the changes shown above in the new section