TLS, or transport layer security, and its predecessor SSL, secure sockets layer, are secure protocols created in order to place normal traffic in a protected, encrypted wrapper.
These protocols allow traffic to be sent safely between remote parties without the possibility of the traffic being intercepted and read by someone in the middle. They are also instrumental in validating the identity of domains and servers throughout the internet by establishing a server as trusted and genuine by a certificate authority.
In this guide, we’ll cover how to create a self-signed SSL certificate for Apache on an Ubuntu 14.04 server, which will allow you to encrypt traffic to your server. While this does not provide the benefit of third party validation of your server’s identity, it fulfills the requirements of those simply wanting to transfer information securely.
Note: You may want to consider using Let’s Encrypt instead of a self-signed certificate. Let’s Encrypt is a new certificate authority that issues free SSL/TLS certificates that are trusted in most web browsers. Check out the tutorial to get started: How To Secure Apache with Let’s Encrypt on Ubuntu 14.04
Before you begin, you should have some configuration already taken care of.
We will be operating as a non-root user with sudo privileges in this guide. You can set one up by following steps 1-4 in our Ubuntu 14.04 initial server setup guide.
You are also going to need to have Apache installed. If you don’t already have that up and running, you can quickly fix that by typing:
sudo apt-get update
sudo apt-get install apache2
SSL support actually comes standard in the Ubuntu 14.04 Apache package. We simply need to enable it to take advantage of SSL on our system.
Enable the module by typing:
sudo a2enmod ssl
After you have enabled SSL, you’ll have to restart the web server for the change to be recognized:
sudo service apache2 restart
With that, our web server is now able to handle SSL if we configure it to do so.
Let’s start off by creating a subdirectory within Apache’s configuration hierarchy to place the certificate files that we will be making:
sudo mkdir /etc/apache2/ssl
Now that we have a location to place our key and certificate, we can create them both in one step by typing:
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/apache.key -out /etc/apache2/ssl/apache.crt
Let’s go over exactly what this means.
rsa:2048
tells OpenSSL to generate an RSA key that is 2048 bits long.When you hit “ENTER”, you will be asked a number of questions.
The most important item that is requested is the line that reads “Common Name (e.g. server FQDN or YOUR name)”. You should enter the domain name you want to associate with the certificate, or the server’s public IP address if you do not have a domain name.
The questions portion looks something like this:
<pre> Country Name (2 letter code) [AU]:<span class=“highlight”>US</span> State or Province Name (full name) [Some-State]:<span class=“highlight”>New York</span> Locality Name (eg, city) []:<span class=“highlight”>New York City</span> Organization Name (eg, company) [Internet Widgits Pty Ltd]:<span class=“highlight”>Your Company</span> Organizational Unit Name (eg, section) []:<span class=“highlight”>Department of Kittens</span> Common Name (e.g. server FQDN or YOUR name) []:<span class=“highlight”>your_domain.com</span> Email Address []:<span class=“highlight”>your_email@domain.com</span> </pre>
The key and certificate will be created and placed in your /etc/apache2/ssl
directory.
Now that we have our certificate and key available, we can configure Apache to use these files in a virtual host file. You can learn more about how to set up Apache virtual hosts here.
Instead of basing our configuration file off of the 000-default.conf
file in the sites-available
subdirectory, we’re going to base this configuration on the default-ssl.conf
file that contains some default SSL configuration.
Open the file with root privileges now:
sudo nano /etc/apache2/sites-available/default-ssl.conf
With the comments removed, the file looks something like this:
<pre>
<IfModule mod_ssl.c>
<VirtualHost default:443>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
<FilesMatch “.(cgi|shtml|phtml|php)$”>
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
BrowserMatch “MSIE [2-6]”
nokeepalive ssl-unclean-shutdown
downgrade-1.0 force-response-1.0
BrowserMatch “MSIE [17-9]” ssl-unclean-shutdown
</VirtualHost>
</IfModule>
</pre>
This may look a bit complicated, but luckily, we don’t need to worry about most of the options here.
We want to set the normal things we’d configure for a virtual host (ServerAdmin, ServerName, ServerAlias, DocumentRoot, etc.) as well as change the location where Apache looks for the SSL certificate and key.
In the end, it will look something like this. The entries in red were modified from the original file:
<pre>
<IfModule mod_ssl.c>
<VirtualHost default:443>
ServerAdmin <span class=“highlight”>admin@example.com</span>
<span class=“highlight”>ServerName your_domain.com</span>
<span class=“highlight”>ServerAlias www.your_domain.com</span>
DocumentRoot <span class=“highlight”>/var/www/html</span>
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
SSLCertificateFile <span class=“highlight”>/etc/apache2/ssl/apache.crt</span>
SSLCertificateKeyFile <span class=“highlight”>/etc/apache2/ssl/apache.key</span>
<FilesMatch “.(cgi|shtml|phtml|php)$”>
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
BrowserMatch “MSIE [2-6]”
nokeepalive ssl-unclean-shutdown
downgrade-1.0 force-response-1.0
BrowserMatch “MSIE [17-9]” ssl-unclean-shutdown
</VirtualHost>
</IfModule>
</pre>
Save and exit the file when you are finished.
Now that we have configured our SSL-enabled virtual host, we need to enable it.
We can do this by typing:
sudo a2ensite default-ssl.conf
We then need to restart Apache to load our new virtual host file:
sudo service apache2 restart
This should enable your new virtual host, which will serve encrypted content using the SSL certificate you created.
Now that you have everything prepared, you can test your configuration by visiting your server’s domain name or public IP address after specifying the https://
protocol, like this:
<pre> https://<span class=“highlight”>server_domain_name_or_IP</span> </pre>
You will get a warning that your browser cannot verify the identity of your server because it has not been signed by one of the certificate authorities that it trusts.
This is expected since we have self-signed our certificate. While our certificate will not validate our server for our users because it has had no interaction with a trusted certificate authority, it will still be able to encrypt communication.
Since this is expected, you can hit the “Proceed anyway” button or whatever similar option you have in your browser.
You will now be taken to content in the DocumentRoot
that you configured for your SSL virtual host. This time your traffic is encrypted. You can check this by clicking on the lock icon in the menu bar:
You can see in the middle green section that the connection is encrypted.
You should now have SSL enabled on your website. This will help to secure communication between visitors and your site, but it will warn each user that the browser cannot verify the validity of the certificate.
If you are planning on launching a public site and need SSL, you will be better off purchasing an SSL certificate from a trusted certificate authority.
If you want to learn more about how to configure Apache, click here. Check out this link for more ideas on how to secure your Linux server.
<div class=“author”>By Justin Ellingwood</div>
Thanks for learning with the DigitalOcean Community. Check out our offerings for compute, storage, networking, and managed databases.
This textbox defaults to using Markdown to format your answer.
You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!
You might also need to make sure that your firewall (i.e. UFW) allows port 443.
If your server is hosted on Azure, don’t forget to enable the HTTPS endpoint for the virtual machine.
Depending on how your box was set up in the first place it might be worth noting that /etc/apache2/ports.conf needs to have an entry such as
otherwise nothing is listening for HTTPS requests even with the correct default-ssl.conf
@hnwebdesign5: It will be more or less the same using a cert that you purchased from a CA. The only difference is that you should replace:
<pre> SSLCertificateFile /etc/apache2/ssl/apache.crt SSLCertificateKeyFile /etc/apache2/ssl/apache.key </pre>
with the cert provided by you CA:
<pre> SSLCertificateFile /path/to/your/ssl.crt
SSLCertificateKeyFile /path/to/your/private.key
SSLCertificateChainFile /path/to/your/bundle.pem </pre>
@derek: GeoTrust also has their own documentation:
http://www.geotrust.com/support/video/install-ssl-certificates-apache.html
How to host a local apache webserver on ubuntu 14.04
Great tutorials!!! Very helpful. I’ve got a question though… i followed the password authentication from one of your other tutorials, and this still works, but when i use https on port 443, it doesn’t ask for password authentication. I can still use port 80, but the password won’t be encrypted using this method (using safari, i get this message). Any help appreciated, i’d like to use SSL with password authentication.
Thanks a lot!!!
asdfasdfasdfasdfasdfasdfasdfasdfasdfasdf
Really spot on tutorial. It’s been about a year and now that the certificate has expired, do I need to follow the same process to generate a new certificate? Or is there a way to renew ?
i followed these steps and i’m getting stuck can’t figure out a way out. since i don’t have an actual domain i’m just trying to figure out how to set this up for the given external IP address given to me by DigitalOcean for these droplet.
i get the following error upon start up of apache AH01906: RSA server certificate is a CA certificate
any ideas?