Installing an SSL certificate and enabling https was a faff, here are my notes. …
Firstly, my DNS provider is NOIP, and I chose to get a TrustCOR certificate through their portal. Their free service offers a single certificate as a bundled feature.
Basically, the process is in three parts, get a certificate, configure apache, & configure the firewall.
The NOIP Portal
Go to “My Services > SSL Certificates”, there are four help pages, generate a CSR, which pointed my at “Apache OpenSSL“; read this all and note that the Country code of where I live is GB not UK and they require a state/province field. This use of openssl
generates the private key. The installation guide is at apache-ssl-installation, wish I’d read it thoroughly, although at Apache 2.4.8, it is no longer necessary to separately define the ‘chain’ file. The portal offers a feature to down load the certificate, do so and copy to /etc/ssl/certs
.
I installed a new cert in 2024, it was much easier, see the comment dated Feb 2024. Download it, copy to the ./certs folder and then ensure the apache config file points at it. The issuer documents the process here.
The Server
Firstly, mod_ssl
and apache2
are already installed, this can be checked with both apt and ls /etc/apache/mods-available
. This guide assumes you have certificate chain file, I had a .pem file and that this is issued by a CA and that you have its private key.
- The mod needs to be enabled
a2enmod ssl
. This creates a default ssl conf file in ./sites-available. - The SSL .conf file needs to be edited. This is in the
./sites-available
, and it was created by the enable mod command i.e.a2enmod ssl
; its name is000-default-ssl.conf
but ideally make a copy and change the basename. i.e.cp default-ssl.conf mydns.conf
- Then edit the two keyfile parameters, use the .pem-chain and .key. The version of Apache I have (2.4.8) does not require the separate declaration of the chain file.
- My initial parameters are now set to,
Listen 433; <VirtualHost *:433>; ServerName ${InternetName}
a2ensite $(basename ${conf.file})
enables the site, note thata2dissite
disables it if necessary.- the hostname needs to match the hostname declared to the certificate, edit
/etc/hosts
and/etc/hostname
- then
systemctl reload apache2
andsystemctl restart apache2
for good measure - I was having problems getting it to work, because https was prohibited at the boundary, and so I ran
hostname
to change the hostname and put the FQDN into the hosts file. I am thus unsure if this and the ServerName parameter is required. This may break something else.
Firewall
- I use a BT HomeHub (5A) and it needed an https rule to be set because I had not set one before. Not doing this first, probably cost me days.
Help
I found these sites helpful
- Adding https to the raspberry pi apache web server from variax.wordpress.com, uses local certs, but documents making a key pair using openssl and the changes needed in the .conf file and How to Host Multiple Websites with Apache Virtual Hosts
- How to enable/disable a website from linode.com, talks about the conf file and a2 commands, also enable mod_ssl apache on the commands, mainly
systemctl
, from ubiq.co, but also 14 apache commands to help you manage your server like apro from devdojo which also documents the commands and has more than ubiq’s - Here’s YAF page, How to install an SSL certificate on apache from www.ssls.com.
- Apache loads mod_ssl but ifmodule mod_ssl.c ignored in my vhosts from stackoverflow, the order of the include statements is important, but was not relevant to me.
- An example vhosts file from Apache, and a how to, again from Apache, both major on the .conf file settings.
- and Set new hostname raspberry pi/ which points at raspi-config.
- A page on Remapping at apache,com was used to redirect port 80 to the https port, I needed a CNAME in dns to redirect the standby name
- man openssl from linux.die.net how to make the key pair.
See also https://davelevy.info/wiki/raspberry-pi-iii/#comment-148525
Remember to backup your certificates and keys, I needed to rebuild the Pi and found that my certificate vendor had decided to withdraw the offer and so I needed to recover the keys from the old disk. More faff. I did so by rebooting the old disk and copying the certs to the new disk. Mounting a raspbian boot disk on a windows laptop seems harder than I want and the best advice would seem to be as above.
Over the winter of 2023/2024, I had to renew the certificate. The complexity of the install frightened me but this is what I eventually did. I logged into the website, downloaded the new pem-chain file and moved it to /etc/ssl/certs. I then edited the SSLCertificateFile parameter in the apache config file as it had a new name. The restarted the apache server. It was simple, next time have no fear.