Configure Apache With TLS/SSL Certificate on Ubuntu 18

TLS (Secure socket layer)  and SSL (Secure socket layer) are  used for securing the data transfer between client and server. These certificates add a layer of security so that the data which was before sent in the form of plain text and could be analyzed by any third party. This tutorial will lead to create and activate TLS/SSL certificates on Apache server on Ubuntu 18.04.

Generating it by yourself means that you will be a signer and the browser won’t verify the identity. It will also warn the user about the validity of the certificate. It is possible to bypass the certificate. Public facing sites must use a certificate with a trusted certificate authority.

Prerequisites:

• Apache server configured and installed

Step 1:  Generate Certificate

1. Create a directory place to store the file

1. $ mkdir ~/certificates
2. $ cd ~/certificates

2. Generate a CSR and private key using following command

1. $ openssl req -x509 -newkey rsa:4096 -keyout apache.key -out apache.crt -days 365 -nodes

After successfully running the command it will ask for the information of certificate request. Complete it using the appropriate information.

Country Name (2 letter code) [AU]: US
State or Province Name (full name) [Some-State]: FL
Locality Name (eg, city) []: Miami
Organization Name (eg, company) [My Company]: My Company
Organizational Unit Name (eg, section) []:

The common name is your domain name or the server IP address.

Common Name (e.g. server FQDN or YOUR name) []: 192.168.2.3
Email Address []:dummy@example.com

3. Now move the certificate into the same folder you created using the following commands

1. $ mkdir /etc/apache2/ssl
2. $ mv ~/certificates/* /etc/apache2/ssl/.

4. We are done creating the certificate now we will make the certificate work with Apache.

Step 2: Configuring the Firewall

1.  Make sure that the TCP port 443 is open. Instead of port 80 SSL uses port 443. We will be using Uncomplicated Firewall (UFW)
2. To enable UFW use the following command

1. $ sudo ufw enable

3. Allow the predefined apache settings for the firewall using the following command

1. $ sudo ufw allow 'Apache Full'

4. You  can check the list of current rules using the following command.

1. $ sudo ufw status

The configuration should be similar to this:

To                         Action      From
--                         ------      ----
Apache Full                ALLOW       Anywhere
OpenSSH                    ALLOW       Anywhere
Apache Full (v6)           ALLOW       Anywhere (v6)
OpenSSH (v6)               ALLOW       Anywhere (v6)

5. To allow future connections allow OpenSSH

1. $ sudo ufw allow 'OpenSSH'

Step 3: Apache virtual host configuration

1. Navigate to the default Apache site config directory using the following command

1. $ sudo nano /etc/apache2/sites-available/default-ssl.conf

This config file tells the server where to find SSL certificate. It should look like this:

<IfModule mod_ssl.c>
<VirtualHost _default_:443>
ServerAdmin webmaster@localhost

DocumentRoot /var/www/html

ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined

SSLEngine on

SSLCertificateFile    /etc/ssl/certs/ssl-cert-snakeoil.pem
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key

<FilesMatch ".(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>

</VirtualHost>
</IfModule>
 1. Edit this: ServerAdmin webmaster@localhost to this :

ServerAdmin email@example.net

2. Add this right below the ServerAdmin line:

ServerName ADD_YOUR_IP_OR_DOMAIN_NAME_HERE

3. Now, edit these lines with our certificate location:

SSLCertificateFile    /etc/apache2/ssl/apache.crt
SSLCertificateKeyFile /etc/apache2/ssl/apache.key

Our file should look like this:

<IfModule mod_ssl.c>
<VirtualHost _default_:443>
ServerAdmin email@example.net
ServerName 203.0.113.122

DocumentRoot /var/www/html

ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined

SSLEngine on

SSLCertificateFile    /etc/apache2/ssl/apache.crt
SSLCertificateKeyFile /etc/apache2/ssl/apache.key

<FilesMatch ".(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>

</VirtualHost>
</IfModule>

4. Save the file, and close it.

Step 4: Enable the Apache SSL module

1. Enable the SSL module using following command

1. $ sudo a2enmod ssl

2. Now enable the site we have just edited:

1. $ sudo a2ensite default-ssl.conf

3. Restart Apache:

1. $ sudo service apache2 restart

4. The website is now secure, access it using following address in the browser

https://YOUR_SERVER_IP

Since the browser will read the certificate as invalid as explained in the introduction. Because the certificate is not signed. Follow the steps according to your browser to proceed.

Share

& Comment

Tweet