Obtaining SSL Encryption Certificates for Apache on Arch Linux

This has been an issue for me for quite some time. I have been trying to get SSL working and get valid certificates so that I could secure a few things and offer better security. Additionally, these days, having secure http is an added benefit. Most web-based server functions prefer the use of https over http for the extra security as well.

Here is how I got SSL and the proper encryption installed on Arch Linux with Apache.

First, Install what you need (assuming that you already have [LAMP](https://wiki.archlinux.org/index.php/Apache_HTTP_Server) stack).

yaourt -S certbot certbot-apache acme-tiny letsencrypt-cli openssl

Next, you need to obtain the certificates. Also, I port forwarded 80 and 443 through the router to the server. This would be a good time to make sure that port forward is good or else this won’t work properly.

certbot certonly --email your.email@address.com --webroot -w /srv/http/site1/ -d www.inject.run,inject.run

If you have received the congratulations message, then you should have certificates in the designated folder. (Mine were located in /etc/letsencrypt/live/inject.run/fullchain.pem.)

Now we have to activate/use the certificates through Apache.

Edit /etc/httpd/conf/httpd.conf and uncomment the following (I use nano and ctrl+w to search):

<span style="font-family: 'courier new', courier, monospace;">LoadModule ssl_module modules/mod_ssl.so
LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
Include conf/extra/httpd-ssl.conf</span>

and, while you’re in httpd.conf, search for Listen 80 and add Listen 443 right below that line.

Now, this might seem like a duplication of effort, but it was the only way I got this to work:

In /etc/httpd/conf/extra/httpd-ssl.conf, find the Virtual Host Context section, and add your VirtualHost server information as follows:

DocumentRoot "/srv/http/inject.run"
ServerName inject.run:443
ServerAdmin YOUR.EMAIL@ADDRESS.COM
ErrorLog "/var/log/httpd/error_log"
TransferLog "/var/log/httpd/access_log"
SSLEngine on
SSLCertificateFile "/etc/letsencrypt/live/inject.run/fullchain.pem"
SSLCertificateKeyFile "/etc/letsencrypt/live/inject.run/privkey.pem"
#SSLCertificateChainFile
"/etc/letsencrypt/live/inject.run/chain.pem"
#SSLCACertificatePath "/etc/httpd/conf/ssl.crt"
#SSLCACertificateFile "/etc/httpd/conf/ssl.crt/ca-bundle.crt"

Note, the only two files you have to reference from your certificates are fullchain and privkey.

And, the last thing before you restart all of your services is to add a separate VirtualServer in your httpd-vhosts.conf file. Edit /etc/httpd/conf/extra/httpd-vhost.conf and add a second VirtualHost for the same website but with *:443 instead of *:80. Additionally, you are going to need to add your certificate information as well. Look below as an example:

     ServerName www.inject.run
     OTHER OPTIONS FOR VHOST HERE IF NEEDED
 
 
 
     ServerName www.inject.run
     OTHER OPTIONS FOR VHOST HERE IF NEEDED
 
     SSLEngine on
     SSLCertificateFile "/etc/letsencrypt/live/inject.run/fullchain.pem"
     SSLCertificateKeyFile "/etc/letsencrypt/live/inject.run/privkey.pem"

Notice I added the SSL stuff in the second VirtualHost entry.

Now, if you chose, you can remove everything from the non-encrypted VirtualHost and add the following line below the ServerName to redirect all traffic to secure connections.

Redirect / https://www.inject.run/

Hopefully, this helps get your SSL encryption working.

Leave a Reply

Your email address will not be published. Required fields are marked *