Guozhen AIGlobal AI field notes and model intelligence
English homeOriginal Chinese

English translation

SSL/TLS Configuration and Certificate Setup for Apache2 Web Deployment

Published:

Category: Apache2 Web Deployment

Read time: 3 min

Reads: 0

Lesson #17Views are counted together with the original Chinese articleImages are preserved from the source page

In the previous article, we discussed log management and monitoring for the Apache2 service. Log management is a critical component for ensuring server security and performance; likewise, enhancing security configurations is equally essential in modern web deployments. This article focuses on SSL/TLS configuration and certificate acquisition, adding a robust layer of security to your website.

What Are SSL and TLS?

SSL (Secure Sockets Layer) and TLS (Transport Layer Security) are cryptographic protocols designed to secure internet communications. They use encryption to protect data transmitted between users and servers, helping prevent eavesdropping and tampering.

Why Do You Need SSL/TLS?

Enabling SSL/TLS changes your website’s URL from http:// to https://, significantly improving security and user trust. Modern browsers prominently warn users about unencrypted sites—increasing the risk of visitor abandonment. Additionally, enabling HTTPS (i.e., SSL/TLS) can improve your site’s SEO ranking.

Obtaining an SSL/TLS Certificate

Choosing a Certificate Authority (CA)

Common SSL/TLS certificate providers include:

  • Let’s Encrypt: A free, widely adopted certificate authority.
  • DigiCert: Offers paid certificates suitable for enterprise and e-commerce websites.
  • Other reputable CAs such as Certum, GeoTrust, etc.

This article uses Let’s Encrypt as the example provider.

Using Certbot to Obtain a Certificate

  1. Install Certbot

    On Ubuntu systems, install Certbot with the following commands:

    sudo apt update
sudo apt install certbot python3-certbot-apache

  2. Obtain the Certificate

    To request an SSL/TLS certificate using Certbot, ensure your domain’s DNS records point to your server. Then run:

sudo certbot --apache

Certbot will guide you through domain validation—typically via http-01 or dns-01 challenges—to verify your control over the domain.

Follow the prompts to enter your email address, accept the terms of service, and select the domains you wish to secure.

  • Configure Automatic Renewal

    Let’s Encrypt certificates expire after 90 days, so automatic renewal is essential. Test renewal first:

    sudo certbot renew --dry-run

    If no errors occur, schedule daily renewal via cron:

    sudo crontab -e

    Add this line to run renewal daily at 2:00 AM:

    0 2 * * * /usr/bin/certbot renew >> /var/log/letsencrypt/letsencrypt.log

    • Configuring Apache2 to Enable SSL/TLS

    Configure a Virtual Host for SSL

    Create an SSL-enabled virtual host configuration file (e.g., your_domain.conf) under /etc/apache2/sites-available/. Example configuration:

    <VirtualHost *:443>
    ServerName your_domain.com
    ServerAlias www.your_domain.com
    DocumentRoot /var/www/your_domain

    SSLEngine on
    SSLCertificateFile /etc/letsencrypt/live/your_domain.com/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/your_domain.com/privkey.pem

    <Directory /var/www/your_domain>
        Options -Indexes +FollowSymLinks
        AllowOverride All
        Require all granted
    </Directory>

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

    Enable the SSL Module and Site Configuration

    Activate the SSL module and enable your site configuration:

    sudo a2enmod ssl
sudo a2ensite your_domain.conf
sudo systemctl restart apache2

    Optimizing SSL/TLS Configuration

    To further strengthen security, consider redirecting HTTP traffic to HTTPS, adding security headers, and enforcing modern cryptographic protocols. Below is a common hardening example:

    <VirtualHost *:80>
    ServerName your_domain.com
    Redirect permanent / https://your_domain.com/
</VirtualHost>

<VirtualHost *:443>
    # Previous SSL configuration...

    # Add security headers
    Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
    Header always set X-Content-Type-Options "nosniff"
    Header always set X-Frame-Options "DENY"
    Header always set X-XSS-Protection "1; mode=block"
</VirtualHost>

    Tune SSLProtocol and SSLCipherSuite directives to enforce strong, modern cryptography:

    SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite HIGH:!aNULL:!MD5

    Testing Your SSL/TLS Configuration

    Use the SSL Labs SSL Test tool to audit your SSL/TLS setup. It identifies vulnerabilities and provides actionable recommendations for improvement.

    Summary

    By following the steps above, you have successfully configured SSL/TLS for your Apache2 website, obtained and installed a certificate, and significantly enhanced its security posture. In the next article, we’ll cover firewall configuration and security policies—adding another vital layer of protection to your server. Remember: robust server security begins with attention to every detail!

    Continue

    Keep reading from here

    Browse English site
    Next lessonApache HTTP Server Log Management and MonitoringGuidesBrowse AI workflow guidesToolsFind AI tool alternatives

    Reader Messages

    Reader messages

    Questions, corrections, extra sources, or hands-on results can be left here. No login is required.

    Max 800 characters

    To reduce spam, each message is checked for length, link count, and posting frequency.

    0/800

    Messages

    0 messages
    Loading messages...