Why do I need SSL/TLS?
Maybe your website does not require any sensitive personal information such as a credit card or SIN, but if you simply log in to your blog to make a post, you are typing your password, and this password is traveling over the internet as plain text, unencrypted.
More often than you might think, someone connected to your network (especially on public Wi-Fi) can intercept and read your credentials. Since many people reuse passwords, an attacker could gain access to your blog, social media accounts, or email. So, you need SSL/TLS!
sudo apt update sudo apt upgrade sudo apt install libapache2-mod-md sudo a2enmod md sudo systemctl restart apache2 sudo a2enmod ssl sudo systemctl reload apache2
Edit the configuration file of the site you want to protect:
sudo nano /etc/apache2/sites-available/example.com.conf
Add at the top of the file:
ServerAdmin [email protected] MDCertificateAgreement accepted MDomain example.com MDPrivateKeys RSA 4096
Duplicate the configuration block below with all its content:
<VirtualHost *:80> ... </VirtualHost>
At the end of the first block, add the following lines if you want the web server to always redirect from plain text to encrypted:
<VirtualHost *:80>
...
RewriteEngine On
RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R=301,L]
</VirtualHost>
The second block will look like this:
<VirtualHost *:443> SSLEngine on SSLProtocol all -SSLv2 -SSLv3 SSLHonorCipherOrder on SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS +RC4 RC4" ... Protocols h2 http/1.1 Header always set Strict-Transport-Security "max-age=63072000" </VirtualHost>
Note: use the recommended SSLCipherSuite above or read more about alternatives in this post [Link].
You need to open the port in the firewall and enable the required modules:
sudo ufw allow 443/tcp sudo a2enmod rewrite sudo a2enmod headers
You can always check your configuration before reloading the web server:
sudo apache2ctl configtest sudo systemctl restart apache2
Apache2 will request a certificate from Let’s Encrypt for your domain (this may take about 1 minute). You can monitor the process with:
sudo tail -f /var/log/apache2/error.log
OR
sudo grep 'The Managed Domain' /var/log/apache2/error.log
The expected response in the log file looks like this:
The Managed Domain example.com has been set up and changes will be activated on the next (graceful) server restart.
This means the server needs to be restarted one more time for the changes to take effect.
From a Linux client you can check the connection status with and without encryption:
curl -I http://example.com curl -I https://example.com
The certificate for your domain expires in 90 days. To ensure it renews automatically without interruptions, make sure the mod_watchdog module is installed:
sudo apache2ctl -M | grep mod_watchdog
Expected output: watchdog_module (static)
You can also monitor the status of your certificate by visiting: https://example.com/server-status
To enable this, go back into the configuration file and add the following at the end (remember to restart Apache):
<Location "/md-status"> SetHandler md-status </Location>
You can also look up your domain on Certificate Search [Here] for more details about this and other certificates.