Skip to content

Instantly share code, notes, and snippets.

Last active March 14, 2024 16:40
Show Gist options
  • Save GAS85/42a5469b32659a0aecc60fa2d4990308 to your computer and use it in GitHub Desktop.
Save GAS85/42a5469b32659a0aecc60fa2d4990308 to your computer and use it in GitHub Desktop.
Apache 2.4.18+ with Letsencrypt on Ubuntu 20.04 - SSL config for A+ on


  • Ubuntu 20.04 (18.04, 16.04 works the same)
  • Apache 2.4.18 or higher
  • OpenSSL 1.0.2g-1ubuntu4.10 or higher
  • e.g. LetsEncrypt certificate
OS: Ubuntu 20.04 Apache/2.4.18 1.0.2g-1ubuntu4.10 +
SSL Labs: A+ RSA 2048 bits (SHA256withRSA)
Certificate: 100%
Protocol Support: 100%
Key Exchange: 90%
Cipher Strength: 90%


Interesting is also -->

Read how to enable HTTP2.0 afterwards -->

Enable headers module and restart Apache2:

sudo a2enmod headers
sudo apachectl configtest && sudo service apache2 restart

In the SSL.CONF (usually under /etc/apache2/mods-available) file change following lines:

NOTE: TLSv1.3 is now supported in Apache2 version 2.4.36 with OpenSSL 1.1.1. Since using of it will avoid such clients as Windows 7 I enable both TLS 1.2. and 1.3.


# This TLSv1.3 only
SSLProtocol TLSv1.3
# To use TLSv1.2 and TLSv1.3 uncomment line below and comment one above. Please read note above.
#SSLProtocol +TLSv1.2 +TLSv1.3
SSLCompression off

# Enable of OCSP stapling, only in httpd 2.3.3 and later
SSLUseStapling          on
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off
SSLStaplingCache        shmcb:/var/run/ocsp(128000)
# If you want to add DHE (Diffie-Hellman key exchange) unkomment lines below AND RUN Command from "Optional" below
#SSLOpenSSLConfCmd Curves secp384r1
#SSLOpenSSLConfCmd DHParameters "/etc/ssl/certs/dhparam.pem"

In default-ssl.conf (usually under /etc/apache2/conf-available/).

You have to provide path to your Certifcate, Pricate Key and optionally to Certificate full chain. You also need to enable SSLEngine and set some basic secirity headers.

  SSLEngine on
  SSLCertificateFile /etc/letsencrypt/live/
  SSLCertificateKeyFile /etc/letsencrypt/live/
  SSLCertificateChainFile /etc/letsencrypt/live/
  #Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
  Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains; preload"

Restart Apache

sudo apachectl configtest && sudo service apache2 restart


if you want to participate in Diffie-Hellman key exchange run and take a coffee:

sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 4096

after that uncomment last 2 lines in SSL.conf and restart apache2

If you would like to enable Certificate Pinning, please read here about:

P.S. if you would like to reduce amount of ciphers to use to minimum of most secured, please use one of following:

  • valid for all, but a lot of weaks Ciphers screenshot:

    SSLCipherSuite HIGH:!aNULL
  • valid for all, still a lot of weak Ciphers screenshot:

  • still valid for all (being used in example above) screenshot:

  • IE11/WinPhone 8.1 will not be able to connect as also Safari before 9 screenshot:

  • IE11 on all Windows devices, except Windows 10 will not be able to connect as also old Safari screenshot:

Copy link

Thanks! 👍

Copy link

GAS85 commented Apr 4, 2018

You welcome!

Copy link

leolepi commented Aug 8, 2018

Nice post, it helped a lot! thanks

Copy link

mxs42 commented Sep 8, 2018

Overall Rating

Very good and helpful, thanks for that!

Copy link


Copy link

zetix commented Mar 7, 2020

If anyone's using NextCloudPi like I am and looking to disable TLS 1.0 and 1.1, the config file you should edit is in /etc/apache2/conf-available/http2.conf under #SSL/TLS Configuration

Copy link

Mites-G commented Jun 24, 2020

Works well on CentOS.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment