DFT Wiki

Why do I need SSL/TLS?

Maybe your website does not require any sensitive personal information such as a credit card or SIN, but if you simply log in to your block to make a post you are typing your password, and this password is traveling on the internet as a plain text, unencrypted.

Easily (and more often than you think) someone connected to your network or if you are in public wifi (this is the worse scenario) can read and get your credentials. Often we share passwords to make it easier to remember, and then someone can possibly still your blog, your social network account, or your email. So, you need SSL/TLS!

sudo apt update
sudo apt upgrade
sudo apt install libapache2-mod-md
sudo a2enmod md
sudo systemctl restart apache2
sudo a2enmod ssl
sudo systemctl reload apache2

Edit the configuration file of the site you want to protect:

sudo nano /etc/apache2/sites-available/example.com.conf

Add at the top of the file:

ServerAdmin [email protected]
MDCertificateAgreement accepted
MDomain example.com
MDPrivateKeys RSA 4096

Duplicate the configuration block below with all the content in it:

<VirtualHost *:80>
...
</VirtualHost>

At the end of the first block you can add the following lines if you want the webserver to always change from plain text to encrypted:

<VirtualHost *:80>
...
RewriteEngine On
RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R=301,L]
</VirtualHost>

The second block will look like this:

<VirtualHost *:443>
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS +RC4 RC4"
...
Protocols h2 http/1.1
Header always set Strict-Transport-Security "max-age=63072000"
</VirtualHost>

Note: use the recommended SSLCipherSuite above or read more about it in this post [Link] to get alternatives.

You need to add this permission in the firewall and enable the modules:

sudo ufw allow 443/tcp
sudo a2enmod rewrite
sudo a2enmod headers

You can always check your configuration before reloading the webserver:

sudo apache2ctl configtest
sudo systemctl restart apache2

The Apache2 will request from Let’s Encrypt to get the certification for your domain (may take 1 minute). You can monitor the process by issuing the commands:

sudo tail -f /var/log/apache2/error.log

OR

sudo grep 'The Managed Domain' /var/log/apache2/error.log

The expected response in the log file looks like this:

The Managed Domain exemple.com has been set up and changes will be activated on the next (graceful) server restart.

Indicating that the server needs to be restarted once more to take effect.

From a Linux client computer you can check the status of the connection with and without encryption:

curl -I http://example.com
curl -I https://example.com

The new certificate for your domain will expire in 90 days. Keep on top of it to make sure it will be renewed without interruptions with the module mod_watchdog. First check if it is installed:

sudo apache2ctl -M | grep mod_watchdog

The expected output: watchdog_module (static)

And you can always monitor the status of your certificate by visiting the address: https://example.com/server-status

For it, go back into the configuration file and add this code at the end (remember to restart the Apache):

<Location "/md-status">
SetHandler md-status
</Location>

You can also search for your domain on Certificate Search [Here] to see more information about this and other certificates.