SSL Configuration

Configure HTTPS for your Apache websites using Let's Encrypt certificates.

---

Prerequisites

1. Domain Name

• Must point to your server's IP address
• DNS propagation completed

2. Apache Virtual Host

• Virtual host already configured
• ServerName matches your domain

---

Let's Encrypt SSL (Recommended)

Debian/Ubuntu

1. Install Certbot

sudo apt update
sudo apt install certbot python3-certbot-apache -y

2. Obtain SSL Certificate

sudo certbot --apache -d example.com -d www.example.com

3. Auto-Renewal Setup

sudo crontab -e
# Add this line:
0 12 * * * /usr/bin/certbot renew --quiet

CentOS

1. Install Certbot

sudo yum install epel-release -y
sudo yum install certbot python3-certbot-apache -y

2. Obtain SSL Certificate

sudo certbot --apache -d example.com -d www.example.com

3. Auto-Renewal Setup

sudo crontab -e
# Add this line:
0 12 * * * /usr/bin/certbot renew --quiet

---

Manual SSL Configuration

1. Generate Private Key

sudo openssl genrsa -out /etc/ssl/private/example.com.key 2048

2. Generate Certificate Signing Request

sudo openssl req -new -key /etc/ssl/private/example.com.key -out /etc/ssl/certs/example.com.csr

3. Generate Self-Signed Certificate (for testing)

sudo openssl x509 -req -days 365 -in /etc/ssl/certs/example.com.csr -signkey /etc/ssl/private/example.com.key -out /etc/ssl/certs/example.com.crt

4. Configure Virtual Host for SSL

Debian/Ubuntu

sudo nano /etc/apache2/sites-available/example.com-ssl.conf

<VirtualHost *:443>
    ServerName example.com
    DocumentRoot /var/www/example.com
    
    SSLEngine on
    SSLCertificateFile /etc/ssl/certs/example.com.crt
    SSLCertificateKeyFile /etc/ssl/private/example.com.key
    
    ErrorLog ${APACHE_LOG_DIR}/example.com_error.log
    CustomLog ${APACHE_LOG_DIR}/example.com_access.log combined
</VirtualHost>

CentOS

sudo nano /etc/httpd/conf.d/example.com-ssl.conf

<VirtualHost *:443>
    ServerName example.com
    DocumentRoot /var/www/html/example.com
    
    SSLEngine on
    SSLCertificateFile /etc/ssl/certs/example.com.crt
    SSLCertificateKeyFile /etc/ssl/private/example.com.key
    
    ErrorLog logs/example.com_error.log
    CustomLog logs/example.com_access.log combined
</VirtualHost>

5. Enable SSL Module and Site

Debian/Ubuntu

sudo a2enmod ssl
sudo a2ensite example.com-ssl.conf
sudo systemctl reload apache2

CentOS

sudo systemctl restart httpd

---

SSL Renewal

Let's Encrypt Auto-Renewal

# Test renewal
sudo certbot renew --dry-run

# Manual renewal
sudo certbot renew

Manual Certificate Renewal

# Generate new certificate
sudo openssl x509 -req -days 365 -in /etc/ssl/certs/example.com.csr -signkey /etc/ssl/private/example.com.key -out /etc/ssl/certs/example.com.crt

# Reload Apache
sudo systemctl reload apache2

---

Force HTTPS Redirect

Debian/Ubuntu

sudo nano /etc/apache2/sites-available/example.com.conf

<VirtualHost *:80>
    ServerName example.com
    Redirect permanent / https://example.com/
</VirtualHost>

CentOS

sudo nano /etc/httpd/conf.d/example.com.conf

<VirtualHost *:80>
    ServerName example.com
    Redirect permanent / https://example.com/
</VirtualHost>

---

Quick Commands

Task	Command
Check SSL status	sudo certbot certificates
Test renewal	sudo certbot renew --dry-run
Manual renewal	sudo certbot renew
Delete certificate	sudo certbot delete --cert-name example.com
Check Apache SSL	sudo apache2ctl -S (Ubuntu) / sudo apachectl -S (CentOS)

---

Note: Let's Encrypt certificates expire after 90 days. Auto-renewal is essential.