Install Open SSL:
~$ sudo apt-get install openssl
Restart the apache web server:
~$ sudo /etc/init.d/apache2 restart
Or:
~$ sudo systemctl restart apache2
1- Create public certificate and the private key. Name the files with the name of the website, to identify them between other certificates:
~$ sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/<domain-of-website>.key -out /etc/ssl/certs/<domain-of-website>.crt
2- Fill data fields asked by the previous comand. The most important field is "Common Name (e.g. server FQDN or YOUR name)", this identify our website:
Output
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:Tennessee
Locality Name (eg, city) []:Nashville
Organization Name (eg, company) [Internet Widgits Pty Ltd]:<business name>
Organizational Unit Name (eg, section) []:Plaza Mariachi
* Common Name (e.g. server FQDN or YOUR name) []:<server_IP_address or domain of website>
Email Address []:info@plazamariachi.com
3- Generate group Diffie-Hellman, for the negociation of the Perfect Forward Secrecy with the web clients. This file is created only one time, it can be used for all certificates we need to create in the future:
~$ sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048
4- Create (or modify) the configuration file of Apache2, with some parameters to enable the SSL (copy the content). This file is created only one time, it can be used for all certificates we need to create in the future:
~$ sudo nano /etc/apache2/conf-available/ssl-params.conf
Content of /etc/apache2/conf-available/ssl-params.conf
# from https://cipherli.st/
# and https://raymii.org/s/tutorials/Strong_SSL_Security_On_Apache2.html
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLProtocol All -SSLv2 -SSLv3
SSLHonorCipherOrder On
# Disable preloading HSTS for now. You can use the commented out header line that includes
# the "preload" directive if you understand the implications.
#Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains"
# Original setting
#Header always set X-Frame-Options DENY
# This following because the Cornerstone of the X Theme do not work
Header always append X-Frame-Options SAMEORIGIN
Header always set X-Content-Type-Options nosniff
# Requires Apache >= 2.4
SSLCompression off
SSLSessionTickets Off
SSLUseStapling on
SSLStaplingCache "shmcb:logs/stapling-cache(150000)"
SSLOpenSSLConfCmd DHParameters "/etc/ssl/certs/dhparam.pem"
5- Create a copy of default configuration for a website with SSL, for our new website:
~$ sudo cp /etc/apache2/sites-available/default-ssl.conf /etc/apache2/sites-available/ssl.<domain-of-website>.conf
6- Update content of file "/etc/apache2/sites-available/ssl..conf" previously copied: The new content must be like this:
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
ServerAdmin your_email@<domain-of-website>
ServerName <domain-of-website>
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
SSLCertificateFile /etc/ssl/certs/<domain-of-website>.crt
SSLCertificateKeyFile /etc/ssl/private/<domain-of-website>.key
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
</VirtualHost>
</IfModule>
7- Update configutarion of the virtual host of our website to guarranty the HTTPS redirection:
~$ sudo nano /etc/apache2/sites-available/<domain-of-website>.conf
The content must have this lines:
<VirtualHost *:80>
. . .
Redirect "/" "https://<domain-of-website>/"
. . .
</VirtualHost>
8- Enable the Apache2 modules to see the changes:
~$ sudo a2enmod ssl
~$ sudo a2enmod headers
~$ sudo a2ensite <domain-of-website>.conf
~$ sudo a2ensite ssl.<domain-of-website>.conf
~$ sudo a2enconf ssl-params.conf
9- Test the configuration:
~$ sudo apache2ctl configtest
The output must be something like this (Syntax OK):
Output
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1. Set the 'ServerName' directive globally to suppress this message
Syntax OK
10- Restart the apache web server:
~$ sudo /etc/init.d/apache2 restart
Or:
~$ sudo systemctl restart apache2
11- Test the configuration of the SSL on the browser.
12- Update configuration of the virtual host of our website to guarranty the permanent HTTPS redirection:
~$ sudo nano /etc/apache2/sites-available/<domain-of-website>.conf
The content must have this lines:
<VirtualHost *:80>
. . .
Redirect permanent "/" "https://<domain-of-website>/"
. . .
</VirtualHost>
13- Repeat steps from 9 to 11.