I thought this is an easy task, but after searching for various ways on the internet, it is not as simple as I imagined. There are many ways to enable HTPPS on your web server depending on what server software is used, the operating system, and where the server is running.
In my case, I will write how to enable HTTPS web server using Apache on Ubuntu Linux operating system. Here I use Oracle Cloud Compute so there is a special step that needs to be done because by default port 443 is not in iptables. This tutorial is for Apache on Ubuntu, not limited to Oracle Cloud, if your server is not on Oracle Cloud, you can skip this step and still continue. 🙂
There are three steps that need to be done here.
- Open port 443 (usually it’s disabled)
- Setting up Apache for HTTPS
- Create certificate signed by Certificate Authority CA
You may ask why the certificate doesn’t just use one from OpenSSL? It’s easy to create one by using only one command line.
the answer: Apparently I have tried a self-signed certificate, but when Google Chrome opens my site, it is still considered a dangerous site. Why? Because the certificate that we have is not signed by a trusted Certificate Authority. Therefore we must have a certificate signed by CA as a trusted third party.
Enabling HTTPS on Oracle Cloud Compute
It turns out that no special way is needed to turn on HTTPS on a server running on Oracle Cloud Compute. But make sure you have turned on the Apache HTTP Web Server using the guidelines here.
These guidelines are for HTTP only. For HTTPS you need to add one more step when setting up the iptables firewall by opening port 443 as follows.
sudo iptables -I INPUT 6 -m state --state NEW -p tcp --dport 443 -j ACCEPT
sudo netfilter-persistent saveEnabling HTTPS on Apache2
Enable Apache SSL and rewite modules
a2enmod ssl
a2enmod rewriteEdit the Apache configuration file.
vi /etc/apache2/apache2.confAdd the following lines at the end of this file.
<Directory /var/www/html>
AllowOverride All
</Directory>Now let’s create a directory for the certificate.
mkdir /etc/apache2/certificateEdit the Apache configuration file for the default website.
vi /etc/apache2/sites-enabled/000-default.confWe will also redirect the HTTP to HTTPS.
<VirtualHost *:80>
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R=301,L]
</virtualhost>
<VirtualHost *:443>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
SSLCertificateFile /etc/apache2/certificate/fullchain.pem
SSLCertificateKeyFile /etc/apache2/certificate/privkey.pem
</VirtualHost>We’ve done setting up the Apache. Now let’s create the certificate.
Generate SSL Certificate
We will use Certbot from Let’s Encrypt to generate our signed certificate.
Install certbot via snapd.
sudo apt install snapd
sudo snap install core
sudo snap refresh core
sudo snap install --classic certbot
sudo ln -s /snap/bin/certbot /usr/bin/certbotCreate the certificate, for example, our site domain is yourdomain.com. This will create a wildcard certificate valid for all subdomains for yourdomain.com.
sudo certbot certonly --manual --preferred-challenges=dns --email admin@yourdomain.com --server https://acme-v02.api.letsencrypt.org/directory --agree-tos -d *.yourdomain.comAfter that, you will be asked some questions, and they will give you a DNS TXT record challenge.
Just create a DNS TXT record under the name _acme-challenge.yourdomain.com on your domain hosting, then add the TXT record they provided.
After that, press enters to verify the domain. Once were receive the success verification message, the key and certificate will be created in this location.
/etc/letsencrypt/live/your_domain/fullchain.pem
/etc/letsencrypt/live/your_domain/privkey.pemWe need to move the certificate to the Apache certificate directory.
mv /etc/letsencrypt/live/your_domain/*.pem /etc/apache2/certificate/Finish! Now restart the Apache.
service apache2 restartVisit your site using HTTPS, it should be working right now! 🙂
References: