How to secure Apache2 webserver with SSL

viktor

Nowadays every major website operates over HTTPS, aka have that little padlock next to the URL in our browsers. It means that we can establish a secure connection with the webserver, and all of the traffic is encrypted. In this port I’m going to describe step-by-step how we can create our own certificate with the openssl utility and configure Apache2 to use HTTPS instead of the default HTTP protocol. It’s worth noting that SSL is an outdated protocol, now we use TLS, still we often say SSL to refer to TLS, which can by confusing.

Step 1: Create a private key

We’re using asymmetric encryption, so besides the certificate we also need a private key. With this command below we create our private key:

viktor@RPI3:/etc/apache2 $ sudo openssl genpkey -algorithm rsa -pkeyopt rsa_keygen_bits:2048 -out ./mytestsite.com.key

As a common security practice, we apply mode 600 to the file which contains our private key, so that only the root user can read this file.

viktor@RPI3:/etc/apache2 $ sudo chmod 600 mytestsite.com.key

Step 2: Create a Certificate Signing Request (CSR)

viktor@RPI3:/etc/apache2 $ sudo openssl req -new -key ./mytestsite.com.key -out mytestsite.com.csr

We need to create a CSR and send it to a Certificate Authority (CA) to sign, or validate our CSR.
Since this is an example we’re going to sign it ourselves, so this will become a self-signed certificate eventually.

Step 3.1: Create a self-signed certificate

We’re generating an x509 (self-signed) certificate from our private key and the CSR created before.

viktor@RPI3:/etc/apache2 $ sudo openssl x509 -req -days 365 -in ./mytestsite.com.csr -signkey ./mytestsite.com.key -out ./mytestsite.com.crt Signature ok subject=C = HU, ST = State-Name, L = City-Name, O = Company-Name, OU = Organization-Name, CN = mytestsite.com, emailAddress = test@mytestsite.com Getting Private key viktor@RPI3:/etc/apache2 $ ls -l | grep mytestsite -rw-r--r-- 1 root root 1391 Jan 28 14:42 mytestsite.com.crt -rw-r--r-- 1 root root 1171 Jan 28 14:35 mytestsite.com.csr -rw------- 1 root root 1704 Jan 28 14:17 mytestsite.com.key

We don’t need the CSR anymore, we have a (self-)signed certificate and a private key, we can now configure Apache to operate over HTTPS.

Step 3.2: Create a self-signed certificate with one command

We could’ve skip the first and the second steps if we decided to create a self-signed certificate anyway, but normally this is the process we’ve to go through if we want to have signed our CSR by a provider. But by skipping the CSR we could’ve issued this command:

viktor@RPI3:/etc/apache2 $ sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout ./alt_privatekey.key -out ./alt_certificate.crt

By issuing this command we create a new private key as well as a self-signed certificate, we don’t need to generate a CSR, but the result is the same. In the following sections we’re going to use the private key and the certificate created in the first and 3.1 section.

Step 4: Configure the apache2 webserver

We edit the following default apache2 configuration file and modify the following options:

viktor@RPI3:/etc/apache2 $ sudo nano /etc/apache2/sites-available/default-ssl.conf

SSLEngine on SSLCertificateFile /etc/apache2/mytestsite.com.crt SSLCertificateKeyFile /etc/apache2/mytestsite.com.key

By default SSL in not enabled with Apache, as it can be seen in output of the following command, Apache listens only on the regular HTTP port 80:

viktor@RPI3:/etc/apache2 $ sudo ss -tupln | grep apache tcp LISTEN 0 511 *:80 *:* users:(("apache2",pid=648,fd=4),("apache2",pid=646,fd=4),("apache2",pid=645,fd=4))

We need to enable the SSL module as well as the default-ssl virtual webserver which is listening on TCP port 443.

viktor@RPI3:/etc/apache2 $ sudo a2enmod ssl viktor@RPI3:/etc/apache2 $ sudo a2ensite default-ssl.conf viktor@RPI3:/etc/apache2 $ sudo apachectl configtest AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1. Set the 'ServerName' directive globally to suppress this message Syntax OK viktor@RPI3:/etc/apache2 $ sudo systemctl restart apache2

Now as expected we’re listening on both port 80 and 443:

viktor@RPI3:/etc/apache2 $ sudo ss -tupln | grep apache tcp LISTEN 0 511 *:80 *:* users:(("apache2",pid=4097,fd=4),("apache2",pid=4096,fd=4),("apache2",pid=4095,fd=4)) tcp LISTEN 0 511 *:443 *:* users:(("apache2",pid=4097,fd=6),("apache2",pid=4096,fd=6),("apache2",pid=4095,fd=6))

Now we can open our browser and visit the website over HTTPS. It displays a warning message first stating that the website doesn’t have a valid certificate, and the browser couldn’t verify its authenticity. Since it’s a self-signed certificate and we trust our webserver we can proceed.

Normally this warning message won’t be displayed of course, if a verified CA signs your certificate.

You should also read:

Create your own VPN with Wireguard

Configuring multi-area OSPF with EIGRP

How to set up the firewall of your server with iptables and configure your SSH access to make more secure