Why do I need SSL/TLS?

Maybe your website does not require any sensitive personal information such as a credit card or SIN, but if you simply log in to your blog to make a post, you are typing your password, and this password is traveling over the internet as plain text, unencrypted.

More often than you might think, someone connected to your network (especially on public Wi-Fi) can intercept and read your credentials. Since many people reuse passwords, an attacker could gain access to your blog, social media accounts, or email. So, you need SSL/TLS!

sudo apt update
sudo apt upgrade
sudo apt install libapache2-mod-md
sudo a2enmod md
sudo systemctl restart apache2
sudo a2enmod ssl
sudo systemctl reload apache2

Edit the configuration file of the site you want to protect:

sudo nano /etc/apache2/sites-available/example.com.conf

Add at the top of the file:

ServerAdmin [email protected]
MDCertificateAgreement accepted
MDomain example.com
MDPrivateKeys RSA 4096

Duplicate the configuration block below with all its content:

<VirtualHost *:80>
...
</VirtualHost>

At the end of the first block, add the following lines if you want the web server to always redirect from plain text to encrypted:

<VirtualHost *:80>
...
RewriteEngine On
RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R=301,L]
</VirtualHost>

The second block will look like this:

<VirtualHost *:443>
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS +RC4 RC4"
...
Protocols h2 http/1.1
Header always set Strict-Transport-Security "max-age=63072000"
</VirtualHost>

Note: use the recommended SSLCipherSuite above or read more about alternatives in this post [Link].

You need to open the port in the firewall and enable the required modules:

sudo ufw allow 443/tcp
sudo a2enmod rewrite
sudo a2enmod headers

You can always check your configuration before reloading the web server:

sudo apache2ctl configtest
sudo systemctl restart apache2

Apache2 will request a certificate from Let’s Encrypt for your domain (this may take about 1 minute). You can monitor the process with:

sudo tail -f /var/log/apache2/error.log

OR

sudo grep 'The Managed Domain' /var/log/apache2/error.log

The expected response in the log file looks like this:

The Managed Domain example.com has been set up and changes will be activated on the next (graceful) server restart.

This means the server needs to be restarted one more time for the changes to take effect.

From a Linux client you can check the connection status with and without encryption:

curl -I http://example.com
curl -I https://example.com

The certificate for your domain expires in 90 days. To ensure it renews automatically without interruptions, make sure the mod_watchdog module is installed:

sudo apache2ctl -M | grep mod_watchdog

Expected output: watchdog_module (static)

You can also monitor the status of your certificate by visiting: https://example.com/server-status

To enable this, go back into the configuration file and add the following at the end (remember to restart Apache):

<Location "/md-status">
SetHandler md-status
</Location>

You can also look up your domain on Certificate Search [Here] for more details about this and other certificates.