Configuring SSL for Apache2 involves installing SSL certificates and modifying Apache’s configuration to serve content over HTTPS. Here’s a guide to setting up Apache2 with SSL, either using a self-signed certificate (for testing) or an official certificate from a certificate authority (CA).
The first step is to enable the SSL module, which allows Apache to handle secure HTTPS connections:
sudo a2enmod ssl
After enabling the module, restart Apache to apply the changes:
sudo systemctl restart apache2
If you don’t have an SSL certificate from a trusted Certificate Authority (CA), you can create a self-signed SSL certificate for testing purposes.
Create a directory for the SSL certificates:
sudo mkdir /etc/apache2/ssl
Generate the SSL certificate and key:
You can generate a new self-signed SSL certificate with openssl:
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
-keyout /etc/apache2/ssl/apache-selfsigned.key \
-out /etc/apache2/ssl/apache-selfsigned.crt
-x509: Specifies that this is a self-signed certificate.-days 365: The certificate will be valid for 365 days.-newkey rsa:2048: Creates a new certificate and a 2048-bit RSA key.-keyout: The location where the private key will be saved.-out: The location where the certificate will be saved.You will be prompted to fill in information such as country, state, and domain name.
Now, you need to modify the Apache virtual host file to use the SSL certificate.
Edit the default SSL virtual host file:
Apache comes with a default SSL virtual host file. You can edit it to point to your certificate and key:
sudo nano /etc/apache2/sites-available/default-ssl.conf
Inside the <VirtualHost *:443> block, modify the lines for SSLCertificateFile and SSLCertificateKeyFile to point to your certificate and key file:
<VirtualHost *:443>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/apache-selfsigned.crt
SSLCertificateKeyFile /etc/apache2/ssl/apache-selfsigned.key
# Optional SSL settings
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
# Log settings
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
Enable the SSL virtual host:
Now you need to enable the SSL site in Apache2:
sudo a2ensite default-ssl.conf
Restart Apache:
Restart Apache for the changes to take effect:
sudo systemctl restart apache2
If you want a trusted SSL certificate (instead of a self-signed one), you’ll need to obtain one from a CA such as Let’s Encrypt, which provides free SSL certificates. We’ve covered the Let’s Encrypt setup in detail, but here’s a quick overview:
Install Certbot for automatic SSL certificate management:
sudo apt update
sudo apt install certbot python3-certbot-apache
Obtain the SSL certificate:
Run the Certbot Apache plugin to automatically configure the SSL certificate:
sudo certbot --apache
Follow the interactive prompts to request a certificate and automatically configure Apache2 to use the certificate.
Automatic Renewal: Certbot will automatically renew the certificate when it’s close to expiring. You can check the renewal process with:
sudo certbot renew --dry-run
If you want to ensure that all HTTP requests are redirected to HTTPS, you can do so by adding a redirect in your non-SSL virtual host configuration.
Edit the default virtual host file for HTTP (port 80):
sudo nano /etc/apache2/sites-available/000-default.conf
Add the following redirect rule inside the <VirtualHost *:80> block:
<VirtualHost *:80>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
# Redirect all HTTP requests to HTTPS
Redirect permanent / https://your-domain.com/
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
Restart Apache:
After making these changes, restart Apache:
sudo systemctl restart apache2
Now, all requests to http://your-domain.com will automatically be redirected to https://your-domain.com.