1.Obtain an SSL Certificate (Let's Encrypt)
1.1 advance preparation
1.Enable mod_ssl
# a2enmod ssl
2.Package management system Snappy installation
Since the SSL certificate issuing tool "certbot" of Let's Encrypt is recommended to be installed using "snap" after 2021, install Snapd first.
Add snappy repository.:
# zypper addrepo --refresh https://download.opensuse.org/repositories/system:/snappy/openSUSE_Tumbleweed snappy
Import its GPG key:
# zypper --gpg-auto-import-keys refresh
Upgrade the package cache to include the new snappy repository:
# zypper dup --from snappy
Install snapd
# zypper -n install snapd
You will then need to reboot, logout/login, or run /etc/profile source to add /snap/bin to your PATH. In addition, enable and start both the snapd service and the snapd.apparmor service using the following command
# systemctl enable --now snapd
# systemctl enable --now snapd.apparmor
Enable Classic Snap Support
# ln -s /var/lib/snapd/snap /snap
Bring snapd version up to date
# snap install core
Update core package
# snap refresh core
Version Confirmation
# snap --version
snap 2.75.2
snapd 2.75.2
series 16
opensuse-tumbleweed 20260619
kernel 7.0.12-1-default
architecture amd64
1.2 Obtaining Certificates
Install the Certbot package and obtain a Let's Encrypt certificate.
# snap install certbot --classic
certbot 5.6.0 from Certbot Project (certbot-eff✓) installed
# certbot certonly --webroot -w /srv/www/htdocs/<FQDN> -d <FQDN>
# Registration of e-mail address and agreement to terms of use are required for the first time only.
# Specify an email address to receive
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Enter email address or hit Enter to skip.
(Enter 'c' to cancel): [mail address]
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at:
https://letsencrypt.org/documents/LE-SA-v1.7-June-04-2026.pdf
You must agree in order to register with the ACME server. Do you agree?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y
Account registered.
Requesting a certificate for [FQDN]
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/ [FQDN]/fullchain.pem
Key is saved at: /etc/letsencrypt/live/ [FQDN]/privkey.pem
This certificate expires on 2026-09-21.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
* Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
* Donating to EFF: https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - L
Success if displayed"Successfully received certificate"
The following certificate is obtained under [/etc/letsencrypt/live//] as described in the message
# cert.pem ⇒ SSL server certificate (including public key)
# chain.pem ⇒ intermediate certificate
# fullchain.pem ⇒ File containing cert.pem and chain.pem combined
# privkey.pem ⇒ private key
2. Web server SSL conversion
2.1 SSL Configuration
# a2enmod -l
actions alias auth_basic authn_core authn_file authz_host authz_groupfile authz_core authz_user autoindex cgi dir env expires include log_config mime negotiation setenvif ssl socache_shmcb userdir reqtimeout cgid php8
# vi /etc/apache2/listen.conf
Line 17: Uncomment
Listen 443
# vi /etc/apache2/vhosts.d/default-ssl.conf
# Create a new entry and enter the following information
<VirtualHost *:443>
DocumentRoot "/srv/www/htdocs/[FQDN]"
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLCertificateFile /etc/letsencrypt/live/[FQDN]/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/[FQDN]/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/[FQDN]/chain.pem
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory "/srv/www/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
</VirtualHost>
Restart Apache
# systemctl restart apache2
2.2 Redirect HTTP communications to HTTPS
To redirect HTTP traffic to HTTPS, add the following to the virtual host configuration file "vhost.conf":
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
# vi /etc/apache2/vhosts.d/vhost.conf
<VirtualHost *:80>
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
ServerName [FQDN]
ServerAdmin [Email address]
DocumentRoot /srv/www/htdocs/[FQDN]
ErrorLog /var/log/apache2/[FQDN].error.log
CustomLog /var/log/apache2/[FQDN].access.log combined
LogLevel warn
</VirtualHost>
Enable rewrite
# a2enmod rewrite
Restart Apache
# systemctl restart apache2
HTTPS service must be allowed if Firewalld is enabled; HTTPS uses 443/TCP.
# firewall-cmd --add-service=https --permanent
success
# firewall-cmd --reload
success
