One place for hosting & domains

      Certificate

      How To Acquire a Let’s Encrypt Certificate Using DNS Validation with certbot-dns-digitalocean on Ubuntu 20.04


      The author selected the COVID-19 Relief Fund to receive a donation as part of the Write for DOnations program.

      Introduction

      The majority of Let’s Encrypt certificates are issued using HTTP validation, which allows for the installation of certificates on a single server. However, HTTP validation is not always suitable for issuing certificates for use on load-balanced websites, nor can you use this validation to issue wildcard certificates.

      DNS validation allows for certificate issuance requests to be verified using DNS records, rather than by serving content over HTTP. This means that certificates can be issued simultaneously for a cluster of web servers running behind a load balancer, or for a system that isn’t directly accessible over the internet.

      In this tutorial, you will use the certbot-dns-digitalocean hook for Certbot to issue a Let’s Encrypt certificate using DNS validation via the DigitalOcean API.

      You can use the certbot-dns-digitalocean tool to integrate Certbot with DigitalOcean’s DNS management API, allowing the certificate validation records to be automatically configured on-the-fly when you request a certificate.

      Another key benefit of certbot-dns-digitalocean is that you can use it to issue certificates for individual servers that may be running behind a load balancer, or are otherwise not directly accessible over HTTP. In these cases, you can’t use traditional HTTP certificate validation, unless you set the validation files on each and every server, which can be inconvenient. The certbot-dns-digitalocean tool is also useful if you want to issue a certificate for a server that isn’t accessible over the internet, for example an internal system or staging environment.

      certbot-dns-digitalocean also fully supports wildcard certificates, which can only be issued using DNS validation.

      Prerequisites

      To complete this tutorial, you will need:

      • An Ubuntu 20.04 server set up by following the Initial Server Setup with Ubuntu 20.04, including a sudo non-root user.

      • A domain name managed via your DigitalOcean account—that is, for managing DNS records. In this particular example, we will use your_domain and subdomain.your_domain, as well as *.your_domain for a wildcard certificate, however you can adjust this for other domains or subdomains if required.

      • A DigitalOcean API key (Personal Access Token) with read and write permissions. To create one, visit How to Create a Personal Access Token.

      Once you have these ready, log in to your server as your non-root user to begin.

      Step 1 — Installing Certbot

      In this step, you will install Certbot, which is a program to issue and manage Let’s Encrypt certificates.

      Certbot is available within the official Ubuntu Apt repositories, so you can install it using the default system package manager:

      • sudo apt update
      • sudo apt install certbot

      Once the installation has completed, you can check with the following command:

      This will output something similar to the following:

      Output

      certbot 0.40.0

      In this step you installed Certbot. Next, you will download and install the acme-dns-certbot hook.

      Step 2 — Installing and Configuring certbot-dns-digitalocean

      Now that you’ve installed the base Certbot program, you can download and install certbot-dns-digitalocean, which will allow Certbot to operate in DNS validation mode using the DigitalOcean DNS management API.

      Like Certbot itself, which you installed in Step 1, the certbot-dns-digitalocean utility is available within Ubuntu’s default repositories. However, the Certbot repository contains a more reliably updated version, so it is always recommended to use this where possible.

      Continue by installing the package for certbot-dns-digitalocean:

      • sudo apt install python3-certbot-dns-digitalocean

      Once the installation has completed, you need to set up a configuration file containing the DigitalOcean API key/Personal Access Token that you generated as part of the prerequisites.

      Begin by creating the creds.ini file in a private location:

      • touch ~/certbot-creds.ini

      Next, restrict the permissions on the file in order to make sure no other user on your server can read it:

      • chmod go-rwx ~/certbot-creds.ini

      Finally, open the file using your text editor and add your DigitalOcean access token:

      The content of the file will be as follows:

      ~/certbot-creds.ini

      dns_digitalocean_token = your_digitalocean_access_token
      

      Once done, save and close the file.

      Warning: Your DigitalOcean access token grants access to your DigitalOcean account, so you must protect it as you would a password. Do not share it with anyone or check it into a public code repository.

      In this step, you downloaded and installed the certbot-dns-digitalocean utility and created a configuration file containing your API credentials.

      Step 3 — Issuing a Certificate

      In this step, you’ll issue a certificate using Certbot and the DigitalOcean API.

      To issue your first certificate, run Certbot using the following arguments, making sure to specify the correct path to your credentials file as well as your domains:

      • sudo certbot certonly --dns-digitalocean --dns-digitalocean-credentials ~/certbot-creds.ini -d your_domain -d subdomain.your_domain

      Note: If you see an unsafe permissions on credentials configuration file warning, this indicates that the file permissions have not been correctly restricted, thus allowing other users on your server to access your token. Please double-check with the chmod command in Step 2.

      Certbot will take a few seconds to request the certificate; you will then receive a message confirming that it has issued your certificate:

      Output

      ... Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/your_domain/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/your_domain/privkey.pem ...

      In the event that the certificate issuance fails, this may be because there wasn’t sufficient time for the DNS changes to propagate. You can optionally increase the DNS propagation delay to give more time for the verification DNS records to propagate and be picked up by Let’s Encrypt. The delay is 10 seconds by default, but you can increase this using the --dns-digitalocean-propagation-seconds argument:

      • sudo certbot certonly --dns-digitalocean --dns-digitalocean-credentials ~/certbot-creds.ini --dns-digitalocean-propagation-seconds 30 -d your_domain -d subdomain.your_domain

      Finally, you can also use certbot-dns-digitalocean to issue wildcard certificates for your domain:

      • sudo certbot certonly --dns-digitalocean --dns-digitalocean-credentials ~/certbot-creds.ini -d *.your_domain

      Note: In some cases, requesting multiple certificates for the same hostnames in a short time period can cause issuance to begin failing. This is due to rate limits and the DNS time-to-live (TTL) value, which can sometimes cause delays in new DNS changes being propagated.

      To mitigate this, you may wish to wait out the duration of the TTL, or consider adjusting the --dns-digitalocean-propagation-seconds option that was detailed earlier in this step.

      In this step, you used Certbot with certbot-dns-digitalocean for the first time and issued your initial certificates.

      Step 4 — Renewing Certificates

      In this final step, you will renew certificates using Certbot with certbot-dns-digitalocean.

      Once your certificates are nearing expiry, Certbot is able to automatically renew them for you:

      The renewal process can run start-to-finish without user interaction. It will also remember the configuration options that you specified during the initial setup.

      By default, Certbot will run this as an automatic scheduled system task, meaning that no further maintenance is needed for your certificates. You can check that the scheduled task has been correctly installed by printing out the status of the associated system service, which is certbot.timer:

      • sudo systemctl status certbot.timer

      This will output something similar to the following, which shows the loaded task scheduled to run twice per day:

      Output

      ● certbot.timer - Run certbot twice daily Loaded: loaded (/lib/systemd/system/certbot.timer; enabled; vendor preset: enabled) Active: active (waiting) since Sun 2020-11-22 18:18:40 UTC; 2 weeks 6 days ago Trigger: Sun 2020-12-13 7:17:57 UTC; 11h left Nov 22 18:18:40 droplet1 systemd[1]: Started Run certbot twice daily.

      However, to test that this is working without having to wait until nearer the expiry date of your certificate(s), you can trigger a ‘dry run’. This will simulate the renewal process without making any actual changes to your configuration.

      You can trigger a dry run using the standard renew command, but with the --dry-run argument:

      • sudo certbot renew --dry-run

      This will output something similar to the following, which will provide assurance that the renewal process is functioning correctly:

      Output

      ... Cert not due for renewal, but simulating renewal for dry run Plugins selected: Authenticator dns-digitalocean, Installer None Renewing an existing certificate Performing the following challenges: dns-01 challenge for your_domain dns-01 challenge for subdomain.your_domain Waiting 10 seconds for DNS changes to propagate Waiting for verification... Cleaning up challenges ...

      In this final step, you tested the automatic renewal process within Certbot.

      Conclusion

      In this tutorial, you set up Certbot with certbot-dns-digitalocean to issue certificates using DNS validation with the DigitalOcean DNS management API.

      If you’re interested in learning more about certbot-dns-digitalocean, you may wish to review the official documentation for the utility:

      Alternatively, if you aren’t using DigitalOcean to manage your DNS records, you may wish to check out How to Acquire a Let’s Encrypt Certificate using DNS Validation with acme-dns-certbot on Ubuntu 18.04, which is a provider-agnostic alternative to certbot-dns-digitalocean.

      Finally, if you would like some further technical reading, you could dig into the details of ACME DNS validation by reviewing the relevant section of the official RFC document, which outlines how the process works:



      Source link

      Apache Configuration Error AH02572: Failed to configure at least one certificate and key



      Part of the Series:
      Common Apache Errors

      This tutorial series explains how to troubleshoot and fix some of the most common errors that you may encounter when using the Apache web server.

      Each tutorial in this series includes descriptions of common Apache configuration, network, filesystem, or permission errors. The series begins with an overview of the commands and log files that you can use to troubleshoot Apache. Subsequent tutorials examine specific errors in detail.

      Introduction

      Apache generates an AH02572: Failed to configure at least one certificate and key error message when it is configured to use the ssl module, but is missing a TLS/SSL public certificate and corresponding private key. The error will prevent Apache from starting up, and the error message itself will be found in Apache’s logs.

      In this tutorial you will learn how to troubleshoot an AH02572 error using the methods described in the How to Troubleshoot Common Apache Errors tutorial at the beginning of this series. You will also learn how to set the SSLCertificateFile and SSLCertificateKeyFile directives to resolve the message.

      If you have already determined that your Apache server is affected by an AH02572 error and you would like to skip the troubleshooting steps, the Adding an SSL Certificate to Apache section at the end of this tutorial explains how to resolve the error.

      Troubleshooting Using systemctl

      When you are troubleshooting an AH02572: Failed to configure at least one certificate and key error message, Apache will not be running. Its systemctl status will show a failed message.

      To examine Apache’s status with systemctl, run the following command on Ubuntu and Debian derived Linux distributions:

      Ubuntu and Debian Systems

      • sudo systemctl status apache2.service -l --no-pager

      On CentOS and Fedora systems, use this command to examine Apache’s status:

      CentOS and Fedora Systems

      • sudo systemctl status httpd.service -l --no-pager

      The -l flag will ensure that systemctl outputs the entire contents of a line, instead of substituting in ellipses () for long lines. The --no-pager flag will output the entire log to your screen without invoking a tool like less that only shows a screen of content at a time.

      You should receive output that is similar to the following:

      Output

      ● apache2.service - The Apache HTTP Server Loaded: loaded (/lib/systemd/system/apache2.service; enabled; vendor preset: enabled) Drop-In: /lib/systemd/system/apache2.service.d └─apache2-systemd.conf Active: failed (Result: exit-code) since Fri 2020-07-31 16:02:41 UTC; 20s ago Process: 36 ExecStart=/usr/sbin/apachectl start (code=exited, status=1/FAILURE) Jul 31 16:02:41 7d6ef84b6907 systemd[1]: Starting The Apache HTTP Server... Jul 31 16:02:41 7d6ef84b6907 apachectl[36]: Action 'start' failed. Jul 31 16:02:41 7d6ef84b6907 apachectl[36]: The Apache error log may have more information. Jul 31 16:02:41 7d6ef84b6907 systemd[1]: apache2.service: Control process exited, code=exited status=1 Jul 31 16:02:41 7d6ef84b6907 systemd[1]: apache2.service: Failed with result 'exit-code'. Jul 31 16:02:41 7d6ef84b6907 systemd[1]: Failed to start The Apache HTTP Server.

      The important lines to note are the ones showing that Apache failed to start. However, there is nothing in the output that indicates an AH02572 error message. Examining the systemd logs for Apache using the journalctl command, or checking Apache’s configuration files with apachectl configtest will not help locate information that you can use to troubleshoot the error.

      To diagnose and resolve an AH02572 error, the next section explains how to examine Apache’s logs directly.

      Examining Apache’s Logs

      Apache logs diagnostic information about its internal operations to various locations, which differ depending on your Linux distribution. Typically, Apache is configured to log error messages to a separate log file from access requests in order to help with debugging, monitoring, and alerting.

      On Ubuntu and Debian-derived systems, Apache defaults to using /var/log/apache2/error.log for error messages.

      On CentOS, Fedora, and RedHat-derived systems, Apache defaults to logging errors to the /var/log/httpd/error_log file.

      To examine Apache’s logs for evidence of an AH02572 error message, use the grep utility to search for the error code in the appropriate log file for your distribution. While there are other tools like less that you could use to find evidence of an AH02572 error, grep will only display lines with the error code so you can be sure of whether you’re affected by the issue.

      Invoke grep like this on Ubuntu and Debian-derived systems:

      • sudo grep AH02572 /var/log/apache2/error.log

      On CentOS, Fedora, and RedHat-derived systems, use the following command:

      • sudo grep AH02572 /var/log/httpd/error_log

      If your Apache server is affected by an AH02572 error, you will have output like the following:

      Output

      [Mon Aug 03 13:21:47.677235 2020] [ssl:emerg] [pid 26:tid 140355819735360] AH02572: Failed to configure at least one certificate and key for 172.17.0.5:443

      If your server is affected by an AH02572 error, the next section of this tutorial explains how to resolve it, by either disabling the ssl module, or configuring Apache with a private key and public certificate file.

      Resolving an AH02572 Error

      There are three ways to resolve an AH02572 error. The first option to resolve the error is to configure Apache with a private key and public certificate that is signed by a recognized Certificate Authority (CA). Let’s Encrypt is a free CA and you can use it to issue a valid certificate. This approach will ensure that traffic to and from your server is encrypted properly, and that web browsers and other HTTP clients trust your Apache server.

      Another approach is to create a self-signed certificate for your Apache server. This approach is useful for development and testing environments, or in cases where your server is not directly connected to the Internet and you can establish trust between systems manually.

      The last approach to resolving an AH02572 error is to turn off Apache’s ssl module entirely. This option is the least preferred since traffic to and from your server will not be encrypted. However, if you are only using your Apache server for local development or in a trusted environment, this approach can be valid.

      The following sections explain how to resolve an AH02572 error using each of the three options.

      Resolving an AH02572 Error with a Let’s Encrypt TLS Certificate

      To encrypt traffic to your Apache server using a free Let’s Encrypt TLS Certificate, use one of the guides that is specific to your Linux distribution from this tutorial series: How To Secure Apache with Let’s Encrypt.

      The Let’s Encrypt process is mostly automated, and the scripts will configure Apache for you. Moreover, the issued certificate will also be renewed automatically so you do not have to worry about it expiring in the future.

      If you are using a Linux distribution that is not included in the How To Secure Apache with Let’s Encrypt series, the Let’s Encrypt documentation includes links to interactive Certbot instructions that can help you configure your Apache server with a valid TLS certificate.

      Resolving an AH02572 Error with a Self-Signed Certificate

      To encrypt traffic to your Apache server using a self-signed certificate, use one of the tutorials from this series that explains how to create Self-signed SSL Certificates with Apache.

      These tutorials demonstrate how to generate a private key and public certificate for your Apache server. They also demonstrate how to use the SSLCertificateFile and SSLCertificateKeyFile Apache directives to configure your server with the certificate that you generate.

      If you are not using a distribution that is listed in the Self-signed SSL Certificates with Apache set of tutorials, this OpenSSL Essentials: Working with SSL Certificates, Private Keys and CSRs guide can help you create a private key and self-signed public certificate that you can use with Apache.

      Note: Where possible, it is best to use a free Let’s Encrypt certificate, or other commercially issued TLS certificate. Self-signed TLS certificates are not trusted by default by browsers and other HTTP clients. As a result, your users will see a security error when visiting your site. However, if you are doing local development, or your use case does not require a valid TLS certificate you can opt for the self-signed approach.

      Disabling the ssl Module

      The last approach to resolving an AH02572 error is to turn off Apache’s TLS/SSL support by disabling the ssl module. This approach is less desirable than encrypting traffic to your server with a TLS certificate, so be certain that you do not need TLS support before disabling the module.

      To disable Apache’s ssl module on Ubuntu and Debian-derived systems, run the following command:

      On CentOS, Fedora, and RedHat-derived systems, disable the module with the following command:

      • sudo rm /etc/httpd/conf.modules.d/00-ssl.conf

      Once you have disabled the ssl module, run apachectl to test that the configuration is valid.

      • sudo apachectl configtest

      A successful apachectl configtest invocation should result in output like this:

      Output

      Syntax OK

      You can now restart Apache using the appropriate systemctl restart command for your Linux distribution.

      On Ubuntu and Debian-derived systems, run the following:

      • sudo systemctl restart apache2.service

      On CentOS, Fedora, and RedHat-derived systems use this command to restart Apache:

      • sudo systemctl restart httpd.service

      If there are no errors from the systemctl command then you have disabled the ssl module successfully.

      Conclusion

      AH02572: Failed to configure at least one certificate and key errors are challenging to detect and troubleshoot. They cannot be diagnosed with the usual systemctl, journalctl, and apachectl commands. In this tutorial you learned how to use the grep utility to examine Apache’s logs directly for evidence of an AH02572 error.

      Next you learned how to use Let’s Encrypt to configure Apache with a TLS certificate to secure your traffic and resolve the AH02572 error. You also learned about using self-signed TLS certificates for development and isolated environments. Finally you learned how to turn off the ssl module for those situations where it is not needed.



      Source link

      How To Create a Self-Signed SSL Certificate for Apache in Ubuntu 20.04


      Introduction

      TLS, or “transport layer security” — and its predecessor SSL — are protocols used to wrap normal traffic in a protected, encrypted wrapper. Using this technology, servers can safely send information to their clients without their messages being intercepted or read by an outside party.

      In this guide, we will show you how to create and use a self-signed SSL certificate with the Apache web server on Ubuntu 20.04.

      Note: A self-signed certificate will encrypt communication between your server and any clients. However, because it is not signed by any of the trusted certificate authorities included with web browsers and operating systems, users cannot use the certificate to validate the identity of your server automatically. As a result, your users will see a security error when visiting your site.

      Because of this limitation, self-signed certificates are not appropriate for a production environment serving the public. They are typically used for testing, or for securing non-critical services used by a single user or a small group of users that can establish trust in the certificate’s validity through alternate communication channels.

      For a more production-ready certificate solution, check out Let’s Encrypt, a free certificate authority. You can learn how to download and configure a Let’s Encrypt certificate in our How To Secure Apache with Let’s Encrypt on Ubuntu 20.04 tutorial.

      Prerequisites

      Before starting this tutorial, you’ll need the following:

      • Access to a Ubuntu 20.04 server with a non-root, sudo-enabled user. Our Initial Server Setup with Ubuntu 20.04 guide can show you how to create this account.
      • You will also need to have Apache installed. You can install Apache using apt. First, update the local package index to reflect the latest upstream changes:

      Then, install the apache2 package:

      And finally, if you have a ufw firewall set up, open up the http and https ports:

      • sudo ufw allow "Apache Full"

      After these steps are complete, be sure you are logged in as your non-root user and continue with the tutorial.

      Step 1 — Enabling mod_ssl

      Before we can use any SSL certificates, we first have to enable mod_ssl, an Apache module that provides support for SSL encryption.

      Enable mod_ssl with the a2enmod command:

      Restart Apache to activate the module:

      • sudo systemctl restart apache2

      The mod_ssl module is now enabled and ready for use.

      Step 2 – Creating the SSL Certificate

      Now that Apache is ready to use encryption, we can move on to generating a new SSL certificate. The certificate will store some basic information about your site, and will be accompanied by a key file that allows the server to securely handle encrypted data.

      We can create the SSL key and certificate files with the openssl command:

      • sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/apache-selfsigned.key -out /etc/ssl/certs/apache-selfsigned.crt

      After you enter the command, you will be taken to a prompt where you can enter information about your website. Before we go over that, let’s take a look at what is happening in the command we are issuing:

      • openssl: This is the command line tool for creating and managing OpenSSL certificates, keys, and other files.
      • req -x509: This specifies that we want to use X.509 certificate signing request (CSR) management. X.509 is a public key infrastructure standard that SSL and TLS adhere to for key and certificate management.
      • -nodes: This tells OpenSSL to skip the option to secure our certificate with a passphrase. We need Apache to be able to read the file, without user intervention, when the server starts up. A passphrase would prevent this from happening, since we would have to enter it after every restart.
      • -days 365: This option sets the length of time that the certificate will be considered valid. We set it for one year here. Many modern browsers will reject any certificates that are valid for longer than one year.
      • -newkey rsa:2048: This specifies that we want to generate a new certificate and a new key at the same time. We did not create the key that is required to sign the certificate in a previous step, so we need to create it along with the certificate. The rsa:2048 portion tells it to make an RSA key that is 2048 bits long.
      • -keyout: This line tells OpenSSL where to place the generated private key file that we are creating.
      • -out: This tells OpenSSL where to place the certificate that we are creating.

      Fill out the prompts appropriately. The most important line is the one that requests the Common Name. You need to enter either the hostname you’ll use to access the server by, or the public IP of the server. It’s important that this field matches whatever you’ll put into your browser’s address bar to access the site, as a mismatch will cause more security errors.

      The full list of prompts will look something like this:

      Country Name (2 letter code) [XX]:US
      State or Province Name (full name) []:Example
      Locality Name (eg, city) [Default City]:Example 
      Organization Name (eg, company) [Default Company Ltd]:Example Inc
      Organizational Unit Name (eg, section) []:Example Dept
      Common Name (eg, your name or your server's hostname) []:your_domain_or_ip
      Email Address []:webmaster@example.com
      

      Both of the files you created will be placed in the appropriate subdirectories under /etc/ssl.

      Next we will update our Apache configuration to use the new certificate and key.

      Step 3 – Configuring Apache to Use SSL

      Now that we have our self-signed certificate and key available, we need to update our Apache configuration to use them. On Ubuntu, you can place new Apache configuration files (they must end in .conf) into /etc/apache2/sites-available/and they will be loaded the next time the Apache process is reloaded or restarted.

      For this tutorial we will create a new minimal configuration file. (If you already have an Apache <Virtualhost> set up and just need to add SSL to it, you will likely need to copy over the configuration lines that start with SSL, and switch the VirtualHost port from 80 to 443. We will take care of port 80 in the next step.)

      Open a new file in the /etc/apache2/sites-available directory:

      • sudo nano /etc/apache2/sites-available/your_domain_or_ip.conf

      Paste in the following minimal VirtualHost configuration:

      /etc/apache2/sites-available/your_domain_or_ip.conf

      <VirtualHost *:443>
         ServerName your_domain_or_ip
         DocumentRoot /var/www/your_domain_or_ip
      
         SSLEngine on
         SSLCertificateFile /etc/ssl/certs/apache-selfsigned.crt
         SSLCertificateKeyFile /etc/ssl/private/apache-selfsigned.key
      </VirtualHost>
      
      

      Be sure to update the ServerName line to however you intend to address your server. This can be a hostname, full domain name, or an IP address. Make sure whatever you choose matches the Common Name you chose when making the certificate.

      The remaining lines specify a DocumentRoot directory to serve files from, and the SSL options needed to point Apache to our newly-created certificate and key.

      Now let’s create our DocumentRoot and put an HTML file in it just for testing purposes:

      • sudo mkdir /var/www/your_domain_or_ip

      Open a new index.html file with your text editor:

      • sudo nano /var/www/your_domain_or_ip/index.html

      Paste the following into the blank file:

      /var/www/your_domain_or_ip/index.html

      <h1>it worked!</h1>
      

      This is not a full HTML file, of course, but browsers are lenient and it will be enough to verify our configuration.

      Save and close the file
      Next, we need to enable the configuration file with the a2ensite tool:

      • sudo a2ensite your_domain_or_ip.conf

      Next, let’s test for configuration errors:

      • sudo apache2ctl configtest

      If everything is successful, you will get a result that looks like this:

      Output

      AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1. Set the 'ServerName' directive globally to suppress this message Syntax OK

      The first line is a message telling you that the ServerName directive is not set globally. If you want to get rid of that message, you can set ServerName to your server’s domain name or IP address in /etc/apache2/apache2.conf. This is optional as the message will do no harm.

      If your output has Syntax OK in it, your configuration file has no syntax errors. We can safely reload Apache to implement our changes:

      • sudo systemctl reload apache2

      Now load your site in a browser, being sure to use https:// at the beginning.

      You should see an error. This is normal for a self-signed certificate! The browser is warning you that it can’t verify the identity of the server, because our certificate is not signed by any of its known certificate authorities. For testing purposes and personal use this can be fine. You should be able to click through to advanced or more information and choose to proceed.

      After you do so, your browser will load the it worked! message.

      Note: if your browser doesn’t connect at all to the server, make sure your connection isn’t being blocked by a firewall. If you are using ufw, the following commands will open ports 80 and 443:

      • sudo ufw allow "Apache Full"

      Next we will add another VirtualHost section to our configuration to serve plain HTTP requests and redirect them to HTTPS.

      Step 4 — Redirecting HTTP to HTTPS

      Currently, our configuration will only respond to HTTPS requests on port 443. It is good practice to also respond on port 80, even if you want to force all traffic to be encrypted. Let’s set up a VirtualHost to respond to these unencrypted requests and redirect them to HTTPS.

      Open the same Apache configuration file we started in previous steps:

      • sudo nano /etc/apache2/sites-available/your_domain_or_ip.conf

      At the bottom, create another VirtualHost block to match requests on port 80. Use the ServerName directive to again match your domain name or IP address. Then, use Redirect to match any requests and send them to the SSL VirtualHost. Make sure to include the trailing slash:

      /etc/apache2/sites-available/your_domain_or_ip.conf

      <VirtualHost *:80>
          ServerName your_domain_or_ip
          Redirect / https://your_domain_or_ip/
      </VirtualHost>
      

      Save and close this file when you are finished, then test your configuration syntax again, and reload Apache:

      • sudo apachectl configtest
      • sudo systemctl reload apache2

      You can test the new redirect functionality by visiting your site with plain http:// in front of the address. You should be redirected to https:// automatically.

      Conclusion

      You have now configured Apache to serve encrypted requests using a self-signed SSL certificate, and to redirect unencrypted HTTP requests to HTTPS.

      If you are planning on using SSL for a public website, you should look into purchasing a domain name and using a widely supported certificate authority such as Let’s Encrypt.

      For more information on using Let’s Encrypt with Apache, please read our How To Secure Apache with Let’s Encrypt on Ubuntu 20.04 tutorial.



      Source link