Setup Apache2 HTTP with Self-Signed SSL/TLS Certificates on Ubuntu 16.04 LTS Servers

by Posted on

When you’re doing internal testing in development environments… you may not need publicly signed SSL/TLS certificates. Although we’ve shown you how to obtaining free Let’s Encrypt certificates, if your site is not publicly accessible or assigned a public with domain, Let’s Encrypt won’t work for you…

Your only option is to use self-signed certificates..

SSL/TLS certificate is mechanism that allows private communication between two network devices. It’s a protocol that enable secure communication between webservers and web clients and many others network services…

When it comes to SSL/TLS implementations, there are basically two types of certificates: A public and private certificates… Public certificates are those that are used on websites and other public facing resources… and the private or self-signed are those that are generated internally, mostly for testing purposes..When you’re ready to setup Apache2 with self-signed certificates, continue below:

Step 1: Install Apache2 HTTP Web Server

If you don’t already have Apache2 HTTP Server installed, the commands below can help you install it on Ubuntu 16.04 LTS… Just copy and paste each line and run it.

sudo apt update
sudo apt install apache2

After installing Apache2, go to step 2 to generate a self-signed SSL/TLS certificate for the Apache2 website..

 Step 2: Creating Self-signed Certificates

When you can’t install or afford trusted certificates from a certificate authority, you may get by with self-signed certificates. Both trusted and self-signed certificates are the same and use the same protocols… the only difference is, one is trusted by a third party and the other is not.

When you’re ready, run the commands below to generate the server private key as well as the self-signed SSL/TLS certificate for the example.com domain you’ll be using.

sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/example.com.key -out /etc/ssl/certs/example.com.crt

After running the commands above, you’ll be prompted to answer few questions about the certificate you’re generating… answer them and complete the process.

Generating a 2048 bit RSA private key
........+++
.....................+++
writing new private key to 'mydomain.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:New York
Locality Name (eg, city) []:Brookly
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Example Company
Organizational Unit Name (eg, section) []:SSL Unit
Common Name (e.g. server FQDN or YOUR name) []:example.com
Email Address []:webmaster@example.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: LEAVE BLANK
An optional company name []:

When you’re done above, the private key file will be stored in /etc/ssl/private/ folder called example.com.key and the certificate file stored in /etc/ssl/certs/ folder called example.com.crt as defined on the command line above.

You’ll need both files to be referenced in the Apache2 configuration settings..

Step 3: Installing the certificates

After generating the certificate, the next step will be to install it on Apache2 server. To do that, open Apache2 SSL/TLS config file in Ubuntu and add the highlighted lines below…

sudo nano /etc/apache2/sites-available/default-ssl.conf

Then reference the certificate files in Apache2 configuration as shown below:

 
<IfModule mod_ssl.c>
 <VirtualHost _default_:443>       
                ServerAdmin webmaster@localhost
                ServerName example.com
                ServerAlias www.example.com
                DocumentRoot /var/www/html

                ErrorLog ${APACHE_LOG_DIR}/error.log
                CustomLog ${APACHE_LOG_DIR}/access.log combined

                #Include conf-available/serve-cgi-bin.conf

                #   SSL Engine Switch:
                #   Enable/Disable SSL for this virtual host.
                SSLEngine on
                SSLCertificateFile      /etc/ssl/certs/example.com.crt
                SSLCertificateKeyFile /etc/ssl/private/example.com.key
                #
                #SSLCertificateFile      /etc/ssl/certs/ssl-cert-snakeoil.pem
                #SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key

......................
.......................

 </VirtualHost>
</IfModule>

Save the file and close out….

Next, open Apache2 default site config file and make sure the domain name is define.

sudo nano /etc/apache2/sites-available/000-default.conf

And define the server name as shown below:

<VirtualHost *:80>
        # The ServerName directive sets the request scheme, hostname and port that
        # value is not decisive as it is used as a last resort host regardless.
        # However, you must set it for any further virtual host explicitly.
        
        ServerName example.com
        ServerAlias www.example.com

        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/html

..................
.................
</VirtualHost>

After making the changes above, run the commands below to test your settings and enable Apache2 SSL module.

sudo apachectl configtest
sudo a2enmod ssl
sudo a2ensite default-ssl

If you don’t see any error messages then you’re good. Restart Apache2  web server by running the commands below.

sudo systemctl restart apache2.service

Next, browse to the server domain using https in your browser and you’ll get a certificate warning because it’s a self-signed. If you see a cert warning that the cert can be trusted, then it’s working..

nginx ubuntu self-signed certs

Continue the the site… since you trust your own self-signed certificates…. Going to sites you don’t trust is not recommended.

ubuntu ssl apache2

That’s it! This is how to create self-signed certificates to support Apache2 HTTP server.

Enjoy!

You may also like this post:

Setup Nginx HTTP Server Self-Signed SSL/TLS Certificates on Ubuntu 16.04 LTS Servers

Published by Richard Zayzay

Hi, I'm Richard. In my spare time, I research topics that are interesting and worthwhile for users and students who want to try something new. I, too, am a student and my focus here is to help other students and new users get started with managing Ubuntu Linux, Windows, Content Management Systems (CMS) and others. I try to do my best explaining the topics and detailing the instructions so that anyone can understand. These tutorials may not work in all situations and for all users. However, if you run into trouble, please ask your questions below and I or someone from the community may help you resolve. Thanks for reading and hope you come back. ~Richard

4 Replies to “Setup Apache2 HTTP with Self-Signed SSL/TLS Certificates on Ubuntu 16.04 LTS Servers”

  1. Thanks, you have made this simpler to understand than most other sites I have already looked at today. I notice that you are making edits in the default-ssl.conf and 000-default.conf files. Does this still apply if you need to set up HTTPS on multiple sites on the same development machine? In other words, I may have two sites such as dev.mysite.com as well as dev.myothersite.com both running locally (I am building customized Drupal websites for businesses). Would anything need to be changed in the ‘dev.mysite.com.conf’ or the ‘dev.myothersite.com.conf’ files? I am new to working with Apache (ex-IIS/ .NET developer).

    Reply

  2. Thank you for making this! This worked for me still on November 11, 2018. In addition, I used a combination of Cloudflare and Amazon aws.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.