Ref: https://www.digitalocean.com/community/tutorials/how-to-create-a-self-signed-ssl-certificate-for-apache-in-ubuntu-22-04
1. open up the firewall ufw for the http and https ports:
[codesyntax lang=”bash”]
|
1 2 3 |
satria@teddy:~$ sudo ufw allow "Apache Full" [sudo] password for satria: ERROR: Could not find a profile matching 'Apache Full' |
[/codesyntax]
2. enable mod_ssl
[codesyntax lang=”bash”]
|
1 2 3 4 5 6 7 8 9 10 11 |
satria@teddy:~$ sudo a2enmod ssl Considering dependency mime for ssl: Module mime already enabled Considering dependency socache_shmcb for ssl: Enabling module socache_shmcb. Enabling module ssl. See /usr/share/doc/apache2/README.Debian.gz on how to configure SSL and create self-signed certificates. To activate the new configuration, you need to run: systemctl restart apache2 satria@teddy:~$ sudo systemctl restart apache2 |
[/codesyntax]
3. Creating the TLS Certificate
[codesyntax lang=”bash”]
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 |
satria@teddy:~$ sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/apache-selfsigned.key -out /etc/ssl/certs/apache-selfsigned.crt .+.......+.....+.+........+...................+..+...+...+...+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*..+......+.........+.........+...+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.....+.......+......+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ..+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*..+..+...+...............+.+.....+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.+.......+...+......+...+......+.....+....+...+..+...+.......+.....+......+.......+.........+...........+.......+...+...+..+.........+....+..+....+...+..+...+.+..+.......+.....+......+.+......+..............+.+.....+.........+......+.........+....+.........+...+.......................+.......+...+......+...+...+..+.......+.....+....+.................+....+.....+.............+......+..+....+...+.....+......+...................+..+.........................+.....+......+....+.....+....+.........+..+.+..+.+.........+..+...+.......+...+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:ID State or Province Name (full name) [Some-State]:My State Locality Name (eg, city) []:My City Organization Name (eg, company) [Internet Widgits Pty Ltd]:LimauSoft Organizational Unit Name (eg, section) []:IT Department Common Name (e.g. server FQDN or YOUR name) []:satria Email Address []:xxx@yahoo.com |
[/codesyntax]
4. Configuring Apache to Use TLS
[codesyntax lang=”bash”]
|
1 |
satria@teddy:~$ sudo gedit /etc/apache2/sites-available/mywebsite.test.conf |
[/codesyntax]
the config file like this
[codesyntax lang=”php”]
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 |
<VirtualHost mywebsite.test:80> ServerName www.mywebsite.test Redirect / https://mywebsite.test/ </VirtualHost> <VirtualHost mywebsite.test:443> ServerName www.mywebsite.test DocumentRoot "/home/satria/Documents/projects/mywebsite" DirectoryIndex index.php <Directory "/home/satria/Documents/projects/mywebsite"> AllowOverride All Allow from All Require all granted </Directory> SSLEngine on SSLCertificateFile /etc/ssl/certs/apache-selfsigned.crt SSLCertificateKeyFile /etc/ssl/private/apache-selfsigned.key ErrorLog /var/log/apache2/mywebsite.error.log CustomLog /var/log/apache2/mywebsite.access.log combined </VirtualHost> |
[/codesyntax]
don’t forget to reload/restart apache2 service
5. Now load your site in a browser, being sure to use https:// at the beginning.
You should see an error. This is normal for a self-signed certificate! The browser is warning you that it can’t verify the identity of the server, because our certificate is not signed by any of its known certificate authorities. For testing purposes and personal use this can be fine. You should be able to click through to advanced or more information and choose to proceed.