Security of communication and data is increasingly important. After all, you don't want malicious parties to be able to view the communication between visitors and your website(s). That is why it is extremely important to encrypt sensitive information such as customer data and payment data via 'https' traffic. In order to achieve this, you will need to install an SSL certificate on your VPS.
This manual covers the following topics:
- Installing an (Sectigo) SSL certificate in Apache
- Installing a Let's Encrypt SSL certificate in Apache (Ubuntu)
- Installing a Let's Encrypt SSL certificate in Apache (CentOS 7)
Perform the steps in this article as a root user or user with sudo rights unless otherwise specified.
Requirements:
- An (Sectigo) SSL certificate (when not using Let's Encrypt).
- It is very important that you saved the (correct) passphrase for the (Sectigo) SSL certificate because, without it, you cannot decrypt the 'private key'. If you do not have the passphrase, you will first have to request a reissue of your certificate.
- A working installation of Apache (and an FTP server such as vsFTPd or ProFTPd).
- To use SNI, allowing you to install multiple SSL certificates on 1 IP address, you will have to at least use Apache v2.2.12 and OpenSSL v0.9.8j.
- This manual assumes that you have already uploaded a working website that can also be accessed via normal http.
- This website must have a correct VHOST in which the 'ServerName' also refers to your domain (required for Let's Encrypt).
- If you use a CAA record in your DNS settings, make sure that you have included "Comodo" (for Sectigo certificates) or "Lets Encrypt" in such a record.
Installing an (Sectigo) SSL certificate in Apache
First, it is important that you upload the files from the SSL certificate download to the VPS. For this manual we've used FTP, but of course you can also place the SSL certificates on the server via SCP or another method.
Step 1
Create a folder for the SSL certificates in the /home directory in your OS. An alternative location could be /etc/apache2/ssl/. By default, there is a folder for storing SSL certificates (Debian / Ubuntu: /etc/ssl/certs | CentOS: /etc/pki/tls/certs), but the root is the owner of this. Therefore, you will not just be able to upload certificates to it via any FTP user.
Step 2
Upload the three relevant files to the folder for the SSL certificates. It concerns certificate.key, certificate.crt and cabundle.crt.
Step 3
Now you adjust the 'virtual host' for your domain, to ensure that it is accessible via port 443 (https) and so you can indicate where the SSL certificate can be found on the server. By default, you will find the VHOST in /etc/httpd/sites-available/yourwbsite.com or /etc/apache2/sites-available/yourdomain.com (replace 'yourdomain.com' with your own domain). You can check this folder's content using the command:
ls /etc/httpd/sites-available/
ls /etc/apache2/sites-available/If your domain is not yet listed here, then execute the following command:
a2ensite yourdomain.com
Step 4
Open the .conf file for your domain with your favourite text editor such as vim or nano:
nano /etc/httpd/sites-available/yourdomain.com.conf
Step 5
You now see the (http) configuration of the virtual host for your domain. This is displayed between the
<VirtualHost *:80>
and
</VirtualHost>
-tags. Here, several configuration parameters are included but mainly consist of comments or explanations about the options. Add a new VHOST for https under the closing </ virtualhost> tag, as shown below:
<virtualhost *:443>
DocumentRoot /var/www/html
SSLEngine on
SSLCertificateFile /home/transip/ssl-certs/yourdomain.com/certificate.crt
SSLCertificateKeyFile /home/transip/ssl-certs/jedomein.nl/certificate.key
SSLCertificateChainFile /home/transip/ssl-certs/jedomein.nl/cabundle.crt
</virtualhost>- <virtualhost*:443>: This indicates that the virtual host applies to all incoming connections (by use of the wildcard *) to port 443. If you want to make the domain accessible through a specific IP only, you change this to <IPADRES>*443.
- DocumentRoot: This is the location on the server where the files of your website are located. In the example, this is /var/www/html, but this can differ from your situation.
- SSLEngine on: Enables SSL for your domain.
- SSLCertificateFile: This is the location on the server where the SSL certificate can be found. You have chosen the location in step 2 and, therefore, enter this location behind this option.
- SSLCertificateKeyFile: This is the location on the server where the private key of the SSL certificate can be found. You have chosen the location in step 2 and, therefore, enter this location behind this option.
- SSLCertificateChainFile: This is the location on the server where the 'Certificate Authority' bundle can be found. You have chosen the location in step 2 and, therefore, enter this location behind this option.
Step 6
Save the changes and exit (using CTRL + X > Y > Enter in Nano).
Step 7
Test whether everything is configured correctly by executing the following command:
apachectl configtestIf you then get an error message with the content "Invalid command 'SSLEngine', perhaps misspelled or defined by a module not included in the server configuration", then 'mod_ssl' is not yet enabled for Apache. Execute the following command:
a2enmod ssl
systemctl restart apache2If you get the message "Syntax OK", everything is set correctly, and you only need to restart Apache.
systemctl restart apache2The SSL certificate is now successfully installed! If you go to https://yourdomain.com, you will see that your website is fully secured via https!
If you want to ensure that all visitors are send to 'https://yourdomain.com' by default, then you can change the virtual host for http (i.e. the virtualhost *:80 part) to:
<VirtualHost *:80> ServerName jouwwebsite.nl Redirect permanent / https://jouwwebsite.nl/ </VirtualHost>
Installing a Let's Encrypt SSL Certificate in Apache (Ubuntu)
Step 1
Log in to the command line as the root user using the VPS console or an SSH connection.
Step 2
Before you can install Let's Encrypt, it is important that you add the required repository and that your installation of Ubuntu is up to date. For this, you use the following commands:
add-apt-repository ppa:certbot/certbot
apt -y update
Step 3
Now install 'Let's Encrypt' on Ubuntu by executing the following command:
apt -y install python-certbot-apache
Step 4
You will now be asked if you want to install this package (including a lot of Python dependencies). Press Y followed by Enter.
Step 5
Now you create an SSL certificate using the following command (replace yourdomain.com with your own domain name):
letsencrypt --apache -d yourdomain.com -d www.yourdomain.com
It is important that there is an existing VHOST for this domain (a shared VHOST is not allowed) which has already set a correct ServerName, equal to the domain for which you want to create the certificate.
The part...
-d www.yourdomain.com
...in this example adds Let's Encrypt to the www subdomain.
If you get a message with 'We were unable to find a host with a Servername or Address or yourdomain.com', you can cancel the application by pressing the c key. Then, make sure you enter the ServerName properly in the VHOST and start again at step 5.
Step 6
If a correct VHOST is already active, you will see notifications about the 'acme' process (Let's Encrypt places a hidden file on your web space to verify that you have control over the website) and then a prompt if you want to use 'Easy' or 'Secure' https.
- Easy: you can still access your website via http:// as well as via https://.
- Secure: this will add a permanent redirect from http:// to https://, so all visitors will be directed to https://yourdomain.com.
Once you have made a choice and click Enter, you will receive a notification that the SSL certificate has been successfully installed! When you go to https://yourdomain.com, you will see that your website is fully secured via https!
Tip
By default, a Let's Encrypt SSL certificate is valid for 3 months and you will have to renew it every 3 months, but you can set this automatically via a cronjob. Open the 'crontab' of your user using the command:
sudo crontab -e
Then add the following in the crontab:
0 0 1 * * /usr/bin/letsencrypt renew >> /var/log/letsencrypt-renew.log
Save these changes and from that moment on, the Let's Encrypt certificates will be renewed every month (a certificate can only be renewed if it expires within 30 days, but the cronjob will ensure that this happens on time) and the output of the command is written to the log file /var/log/letsencrypt-renew.log.
Installing a Let's Encrypt SSL Certificate in Apache (CentOS)
Step 1
Log in to the command line as the root user using the VPS console or an SSH connection.
Step 2
Install the EPEL (Extra Packages for Enterprise Linux) package to add additional packages that you need to install Let's Encrypt:
yum -y install epel-release
Step 3
Install 'Let's Encrypt' and mod_ssl (if the latter is not yet active):
yum -y install httpd mod_ssl python-certbot-apache
Step 4
Now you create an SSL certificate using the following command (replace yourdomain.com with your own domain name):
letsencrypt --apache -d yourdomain.com -d www.yourdomain.com
It is important that there is an existing VHOST for this domain (a shared VHOST is not allowed) which has already set a correct ServerName, equal to the domain for which you want to create the certificate.
The part...
-d www.yourdomain.com
...in this example adds Let's Encrypt to the www subdomain.
Step 5
If a correct VHOST is active (as indicated in step 5), you will see notifications about the 'acme' process (Let's Encrypt places a hidden file on your web space to verify that you have control over the website) and then a prompt if you want to use 'Easy' or 'Secure' https.
- Easy: you can still access your website via http:// as well as via https://.
- Secure: this will add a permanent redirect from http:// to https://, so all visitors will be directed to https://yourdomain.com.
If you have made this choice and click Enter, you will receive a notification that the SSL certificate has been successfully installed! When you go to https://yourdomain.com, you will see that your website is fully secured via https!
Tip
By default, a Let's Encrypt SSL certificate is valid for 3 months and you will have to renew it every 3 months, but you can set this automatically via a cronjob. Open the 'crontab' of your user:
sudo crontab -e
Then add the following in the crontab:
0 0 1 * * /usr/bin/letsencrypt renew >> /var/log/letsencrypt-renew.log
Save these changes and from that moment on, the Let's Encrypt certificates will be renewed every month (a certificate can only be renewed if it expires within 30 days, but the cronjob will ensure that this happens on time) and the output of the command is written to the log file /var/log/letsencrypt-renew.log.
Should you have any questions left regarding this article, do not hesitate to contact our support department. You can reach them via the ‘ContactUs’ button at the bottom of this page.
If you want to discuss this article with other users, please leave a message under 'Comments'.