{"id":6840,"date":"2022-11-27T12:22:10","date_gmt":"2022-11-27T12:22:10","guid":{"rendered":"https:\/\/davelevy.info\/wiki\/?p=6840"},"modified":"2025-07-22T23:22:17","modified_gmt":"2025-07-22T23:22:17","slug":"ssl-on-a-raspberry-pi","status":"publish","type":"post","link":"https:\/\/davelevy.info\/wiki\/ssl-on-a-raspberry-pi\/","title":{"rendered":"SSL on a Raspberry Pi"},"content":{"rendered":"\n

Installing an SSL certificate and enabling https was a faff, here are my notes. Now including postfix and dovecot…
<\/p>\n\n\n\n\n\n\n\n

Firstly, my DNS provider is NOIP, and I chose to get a TrustCOR certificate through their portal. Their free service offers a single certificate as a bundled feature.<\/p>\n\n\n\n

Basically, the process is in three parts, get a certificate, configure apache, & configure the firewall.<\/p>\n\n\n\n

The NOIP Portal<\/h3>\n\n\n\n

Go to “My Services > SSL Certificates”, there are four help pages, generate a CSR<\/a>, which pointed my at “Apache OpenSSL<\/a>“; read this all and note that the Country code of where I live is GB not UK and they require a state\/province field. This use of openssl<\/code> generates the private key. The installation guide is at apache-ssl-installation<\/a>, wish I’d read it thoroughly, although at Apache 2.4.8, it is no longer necessary to separately define the ‘chain’ file. The portal offers a feature to down load the certificate, do so and copy to \/etc\/ssl\/certs<\/code>.<\/p>\n\n\n\n

I installed a new cert in 2024, it was much easier, see the comment dated Feb 2024. Download it, copy to the .\/certs folder and then ensure the apache config file points at it. The issuer documents the process here<\/a>.<\/p>\n\n\n\n

The Server<\/h3>\n\n\n\n

Firstly, mod_ssl<\/code> and apache2<\/code> are already installed, this can be checked with both apt and ls \/etc\/apache\/mods-available<\/code>. This guide assumes you have certificate chain file, I had a .pem file and that this is issued by a CA and that you have its private key.<\/p>\n\n\n\n

    \n
  1. The mod needs to be enabled a2enmod ssl<\/code>. This creates a default ssl conf file in .\/sites-available.<\/li>\n\n\n\n
  2. The SSL .conf file needs to be edited. This is in the .\/sites-available<\/code>, and it was created by the enable mod command i.e. a2enmod ssl<\/code> ; its name is 000-default-ssl.conf<\/code> but ideally make a copy and change the basename. i.e. cp default-ssl.conf mydns.conf<\/code><\/li>\n\n\n\n
  3. Then edit the two keyfile parameters<\/a>, use the .pem-chain and .key. The version of Apache I have (2.4.8) does not require the separate declaration of the chain file.<\/li>\n\n\n\n
  4. My initial parameters are now set to, Listen 433; <VirtualHost *:433>; ServerName ${InternetName}<\/code><\/li>\n\n\n\n
  5. a2ensite $(basename ${conf.file})<\/code> enables the site, note that a2dissite<\/code> disables it if necessary.<\/li>\n\n\n\n
  6. the hostname needs to match the hostname declared to the certificate, edit \/etc\/hosts<\/code> and \/etc\/hostname<\/code><\/li>\n\n\n\n
  7. then systemctl reload apache2<\/code> and systemctl restart apache2<\/code> for good measure<\/li>\n\n\n\n
  8. I was having problems getting it to work, because https was prohibited at the boundary,  and so I ran hostname <\/code>to change the hostname and put the FQDN into the hosts file. I am thus unsure if this and the ServerName parameter is required. This may break something else.<\/li>\n<\/ol>\n\n\n\n

    Firewall<\/h3>\n\n\n\n
      \n
    1. I use a BT HomeHub (5A) and it needed an https rule to be set because I had not set one before. Not doing this first, probably cost me days.<\/li>\n<\/ol>\n\n\n\n

      See also https:\/\/davelevy.info\/wiki\/raspberry-pi-iii\/#comment-148525<\/a><\/p>\n\n\n\n

      \n\n\n\n

      Postfix & Dovecot<\/h3>\n\n\n\n

      These notes were generated by Google AI Perspectives.<\/p>\n\n\n\n

      To secure Postfix email server on Raspbian with SSL\/TLS, you’ll need to generate or obtain an SSL\/TLS certificate, configure Postfix to use it, and verify the setup. This involves editing the Postfix main.cf file, setting up the necessary paths for the certificate and key, and potentially configuring Dovecot for secure email access. <\/p>\n\n\n\n

      1. Generating or Obtaining an SSL\/TLS Certificate:<\/p>\n\n\n\n