Contents
1.Obtain an SSL Certificate (Let's Encrypt)
1.1 advance preparation
1.Enable mod_ssl
|
1 |
# a2enmod ssl |
2.Package management system Snappy installation
Since the SSL certificate issuing tool "certbot" of Let's Encrypt is recommended to be installed using "snap" after 2021, install Snapd first.
Add snappy repository.
|
1 |
# zypper addrepo --refresh https://download.opensuse.org/repositories/system:/snappy/openSUSE_Tumbleweed snappy |
After adding the repository, import its GPG key:
|
1 |
# zypper --gpg-auto-import-keys refresh |
Upgrade the package cache to include the new snappy repository:
|
1 |
# zypper dup --from snappy |
Install snapd
|
1 |
# zypper -n install snapd |
You will then need to reboot, logout/login, or run /etc/profile source to add /snap/bin to your PATH. In addition, enable and start both the snapd service and the snapd.apparmor service using the following command
|
1 2 |
# systemctl enable --now snapd # systemctl enable --now snapd.apparmor |
Bring snapd version up to date
|
1 |
# snap install core |
Update core package
|
1 |
# snap refresh core |
Version Confirmation
|
1 2 3 4 5 6 |
# snap --version snap 2.71 snapd 2.71 series 16 opensuse-tumbleweed 20250829 kernel 6.16.3-1-default |
1.2 Obtaining Certificates
|
1 2 |
# snap install certbot --classic # certbot certonly --webroot -w /srv/www/htdocs/<FQDN> -d <FQDN> |
# Registration of e-mail address and agreement to terms of use are required for the first time only.
# Specify an email address to receive
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 |
Saving debug log to /var/log/letsencrypt/letsencrypt.log Enter email address (used for urgent renewal and security notices) (Enter 'c' to cancel): [mail address] - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Please read the Terms of Service at https://letsencrypt.org/documents/LE-SA-v1.4-April-3-2024.pdf. You must agree in order to register with the ACME server. Do you agree? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: y - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Would you be willing, once your first certificate is successfully issued, to share your email address with the Electronic Frontier Foundation, a founding partner of the Let's Encrypt project and the non-profit organization that develops Certbot? We'd like to send you email about our work encrypting the web, EFF news, campaigns, and ways to support digital freedom. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: y Account registered. Requesting a certificate for [FQDN] Successfully received certificate. Certificate is saved at: /etc/letsencrypt/live/[FQDN]/fullchain.pem Key is saved at: /etc/letsencrypt/live/[FQDN]/privkey.pem This certificate expires on 2025-12-01. These files will be updated when the certificate renews. NEXT STEPS: - The certificate will need to be renewed before it expires. Certbot can automatically renew the certificate in the background, but you may need to take steps to enable that functionality. See https://certbot.org/renewal-setup for instructions. We were unable to subscribe you the EFF mailing list because your e-mail address appears to be invalid. You can try again later by visiting https://act.eff.org. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - If you like Certbot, please consider supporting our work by: * Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate * Donating to EFF: https://eff.org/donate-le - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |
Success if displayed"Successfully received certificate"
# The following certificate is obtained under [/etc/letsencrypt/live/<FQDN>/] as described in the message
# cert.pem ⇒ SSL server certificate (including public key)
# chain.pem ⇒ intermediate certificate
# fullchain.pem ⇒ File containing cert.pem and chain.pem combined
# privkey.pem ⇒ private key
2. Web server SSL conversion
2.1 SSL Configuration
|
1 2 |
# a2enmod -l actions alias auth_basic authn_core authn_file authz_host authz_groupfile authz_core authz_user autoindex cgi dir env expires include log_config mime negotiation setenvif ssl socache_shmcb userdir reqtimeout cgid php8 version |
|
1 2 3 |
# vi /etc/apache2/listen.conf ● Line 17: Uncomment Listen 443 |
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
# vi /etc/apache2/vhosts.d/default-ssl.conf # Create New <VirtualHost *:443> DocumentRoot "/srv/www/htdocs/[FQDN]" SSLEngine on SSLProtocol all -SSLv2 -SSLv3 SSLCertificateFile /etc/letsencrypt/live/[FQDN]/cert.pem SSLCertificateKeyFile /etc/letsencrypt/live/[FQDN]/privkey.pem SSLCertificateChainFile /etc/letsencrypt/live/[FQDN]/chain.pem <FilesMatch "\.(cgi|shtml|phtml|php)$"> SSLOptions +StdEnvVars </FilesMatch> <Directory "/srv/www/cgi-bin"> SSLOptions +StdEnvVars </Directory> </VirtualHost> |
|
1 |
# systemctl restart apache2 |
2.2 Redirect HTTP communications to HTTPS
To redirect all HTTP communications to HTTPS, create a new virtual_host_ssl.conf as follows
|
1 2 3 4 5 6 7 8 9 10 11 12 13 |
# vi /etc/apache2/vhosts.d/virtual_host_ssl.conf <VirtualHost *:80> ServerName [FQDN] ServerAdmin Email address DocumentRoot /srv/www/htdocs/[FQDN] ErrorLog /var/log/apache2/[FQDN].error.log CustomLog /var/log/apache2/[FQDN].access.log combined LogLevel warn RewriteEngine On RewriteCond %{HTTPS} off RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L] </VirtualHost> |
|
1 2 3 |
# a2enmod rewrite # a2enmod -l actions alias auth_basic authn_core authn_file authz_host authz_groupfile authz_core authz_user autoindex cgi dir env expires include log_config mime negotiation setenvif ssl socache_shmcb userdir reqtimeout cgid php8 version rewrite |
|
1 |
# systemctl restart apache2 |
HTTPS service must be allowed if Firewalld is enabled; HTTPS uses 443/TCP.
|
1 2 3 4 |
# firewall-cmd --add-service=https --permanent success # firewall-cmd --reload success |