As an online business owner, ensuring secure communication between your server and client applications is of utmost importance. One way to achieve this is by installing an SSL certificate. An SSL certificate, with the right configurations, enables communication over TLS or SSL protocols, providing a secure environment for your users.

In this tutorial, we will guide you through the process of installing a self-signed SSL certificate on Ubuntu 20.04 LTS using OpenSSL. We will also show you how to configure the virtual hosts of Apache and server blocks of Nginx to enforce communication over TLS/SSL protocols.

Step 1: Creating the Directory and Generating the SSL Certificate

The first step is to create a directory to store the SSL certificate. Open a terminal and execute the following command:

sudo mkdir /etc/secure/

Next, generate the self-signed SSL certificate by executing the following command:

sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/secure/example.com.key -out /etc/secure/example.com.crt

Make sure to replace “example.com” with your own domain. When prompted, provide the necessary details such as the country code, state/province, city/location, organization name, organizational unit name, common name (e.g., server FQDN or your name), and email address.

The openssl command is used to generate the self-signed SSL certificate. Here’s a breakdown of the parameters used:

• req: Specifies that we are using X.509 CSR (Certificate Signing Request).
• -x509: Specifies that we want a self-signed certificate instead of a certificate signing request.
• -nodes: Skips the option to secure the self-signed certificate using a passphrase.
• -days: Sets the number of days for which the certificate remains valid. In this example, we have set it to 365 to generate a certificate with a one-year validity.
• -newkey: Generates a new key and a new certificate using RSA with a key length of 2048 bits.
• -keyout: Specifies the path to save the key file.
• -out: Specifies the path to save the certificate file.

Upon successfully executing the command, OpenSSL will generate the private key and certificate at /etc/secure/example.com.key and /etc/secure/example.com.crt, respectively.

Step 2: Configuring Apache Virtual Host

If you are using Apache as your web server, follow these steps to configure the virtual host and enforce communication over TLS/SSL protocols.

1. Open the virtual host configuration file using a text editor. For example:

sudo nano /etc/apache2/sites-available/example.com.conf

2. Inside the file, you will see the configuration for a normal virtual host without SSL. It should look similar to the following:

<VirtualHost *:80>
ServerName example.com
ServerAlias www.example.com
ServerAdmin admin@example.com
DocumentRoot /var/www/example.com/html

<Directory /var/www/example.com/html>
Options -Indexes +FollowSymLinks
DirectoryIndex index.html
AllowOverride All
Require all granted
</Directory>

ErrorLog /var/www/example.com/logs/error.log
CustomLog /var/www/example.com/logs/access.log combined
</VirtualHost>

3. Now, add another virtual host configuration using port 443 to enable HTTPS. Open a new file using the following command:

sudo nano /etc/apache2/sites-available/example.com-ssl.conf

4. Inside the file, add the following configuration:

<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName example.com
ServerAlias www.example.com
ServerAdmin admin@example.com
DocumentRoot /var/www/example.com/html

<Directory /var/www/example.com/html>
Options -Indexes +FollowSymLinks
DirectoryIndex index.php
AllowOverride All
Require all granted
</Directory>

ErrorLog /var/www/example.com/logs/error.log
CustomLog /var/www/example.com/logs/access.log combined

SSLCertificateFile /etc/secure/example.com.crt
SSLCertificateKeyFile /etc/secure/example.com.key
</VirtualHost>
</IfModule>

5. Now, update the existing virtual host configuration to redirect HTTP requests to HTTPS. Open the file using the following command:

sudo nano /etc/apache2/sites-available/example.com.conf

6. Inside the file, add the following configuration block at the end:

<VirtualHost *:80>
ServerName example.com
ServerAlias www.example.com
ServerAdmin admin@example.com
DocumentRoot /var/www/example.com/html

<Directory /var/www/example.com/html>
Options -Indexes +FollowSymLinks
DirectoryIndex index.html
AllowOverride All
Require all granted
</Directory>

ErrorLog /var/www/example.com/logs/error.log
CustomLog /var/www/example.com/logs/access.log combined

RewriteEngine on
RewriteCond %{SERVER_NAME} =example.com [OR]
RewriteCond %{SERVER_NAME} =www.example.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

7. Save and exit the text editor.
8. Enable the new virtual host by running the following command:

sudo a2ensite example.com-ssl

9. Enable the required modules by executing the following commands:

sudo a2enmod rewrite
sudo a2enmod ssl

10. Finally, restart Apache for the changes to take effect:

sudo systemctl restart apache2

Step 3: Configuring Nginx Server Block

If you are using Nginx as your web server, follow these steps to configure the server block and enforce communication over TLS/SSL protocols.

1. Open the server block configuration file using a text editor. For example:

sudo nano /etc/nginx/sites-available/example.com

2. Inside the file, you will see the configuration for a normal server block without SSL. It should look similar to the following:

server {
listen 80;
server_name example.com www.example.com;
root /var/www/example.com/html;
index index.html index.htm;

location / {
try_files $uri $uri/ =404;
}

location ~ /\.ht {
deny all;
}
}

3. Now, update the server block configuration to redirect HTTP requests to HTTPS and configure the SSL certificate and key. Open a new file using the following command:

sudo nano /etc/nginx/sites-available/example.com

4. Inside the file, replace the existing configuration with the following:

server {
listen 80;
server_name example.com www.example.com;

# Redirect to HTTPS
return 301 https://$host$request_uri;
}

server {
# listen 80;
server_name example.com www.example.com;
root /var/www/example.com/html;
index index.html index.htm;

location / {
try_files $uri $uri/ =404;
}

location ~ /\.ht {
deny all;
}

listen 443 ssl;
ssl_certificate /etc/secure/example.com.crt;
ssl_certificate_key /etc/secure/example.com.key;
}

5. Save and exit the text editor.
6. Reload Nginx to apply the changes:

sudo systemctl reload nginx

Congratulations! You have successfully installed a self-signed SSL certificate on Ubuntu 20.04 LTS and configured the virtual hosts of Apache or server blocks of Nginx to enforce communication over TLS/SSL protocols. Your website is now more secure, providing a safe environment for your users.

Please keep in mind that self-signed SSL certificates may show security warnings to users since they are not recognized by trusted certificate authorities. These certificates are typically used for testing and development purposes. If you require a certificate recognized by trusted authorities, consider obtaining one from reputable providers like Let’s Encrypt, Comodo, or VeriSign.

If you have any further questions or need assistance, feel free to reach out to our team at Shape.host. We specialize in providing reliable and secure cloud hosting solutions tailored to your business needs.

Christian Wells