SSL Configuration

SSL Configuration for rConfig V8

SSL/TLS encryption is essential for securing rConfig V8 communications, protecting sensitive network device credentials, and ensuring data integrity. This guide covers both Let’s Encrypt (automated, trusted certificates) and self-signed certificates (internal/development environments) across supported operating systems.

Caution

Some features in rConfig V8, such as clipboard operations and API integrations, require valid SSL configuration. Without SSL, these features may not function correctly.

Note

While we strongly recommend implementing SSL, the diverse range of environments means we cannot provide direct support for SSL configuration. Consult your SSL solution’s documentation for environment-specific guidance.

Prerequisites

Before configuring SSL, verify:

• Domain configuration: Domain properly configured and resolving to your server
• Apache installed: Apache web server installed and running
• Firewall rules: Ports 80 (HTTP) and 443 (HTTPS) open
• Root access: Sudo or root privileges on the server
• For Let’s Encrypt: Domain must be publicly accessible for certificate validation

Understanding SSL Certificate Options

Let’s Encrypt Certificates

Best for: Production environments with public-facing domains

Advantages:

• Free, automated certificate management
• Trusted by all major browsers
• 90-day validity with automated renewal
• Industry-standard security

Requirements:

• Publicly accessible domain
• Valid DNS records
• Port 80 accessible for validation

Self-Signed Certificates

Best for: Internal networks, development, testing environments

Advantages:

• No external dependencies
• Works in air-gapped environments
• Complete control over certificate properties
• No expiration concerns for long-term internal use

Limitations:

• Browser security warnings (certificate not trusted)
• Not suitable for public-facing production environments
• Users must manually accept certificate

SSL Configuration

Let's Encrypt - Rocky/RHEL

Let’s Encrypt SSL - Rocky Linux/CentOS/RHEL

Step 1: Update system packages

yum -y update

Step 2: Install mod_ssl

yum -y install mod_ssl

Step 3: Install certbot and dependencies

# Enable EPEL repository
yum -y install epel-release

# Install required utilities
yum -y install yum-utils

# Install certbot for Apache
yum -y install certbot python3-certbot-apache

Step 4: Obtain SSL certificate

Stop Apache temporarily to allow certbot to bind to port 80:

systemctl stop httpd

Run certbot:

certbot --apache

Follow the interactive prompts:

Which names would you like to activate HTTPS for?
-------------------------------------------------------------------------------
1: yourdomainname.com
2: rconfig.yourdomainname.com
-------------------------------------------------------------------------------
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):

Press Enter to select all domains, then choose redirect option:

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
-------------------------------------------------------------------------------
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2

Step 5: Verify Apache configuration

Certbot automatically updates your Apache configuration. Verify the changes:

# Check configuration syntax
httpd -t

# View SSL virtual host configuration
cat /etc/httpd/conf/httpd-le-ssl.conf

Step 6: Configure automatic renewal

Create a renewal cron job:

crontab -e

Add this line to renew certificates twice daily:

0 */12 * * * /usr/bin/certbot renew --quiet --post-hook "systemctl reload httpd"

Step 7: Test renewal process

certbot renew --dry-run

Expected output should indicate successful simulation:

Congratulations, all simulated renewals succeeded

Step 8: Start Apache

systemctl start httpd
systemctl enable httpd

Step 9: Verify HTTPS access

curl -I https://your-domain.com

Let's Encrypt - Ubuntu

Let’s Encrypt SSL - Ubuntu

Step 1: Update system packages

apt update && apt upgrade -y

Step 2: Install certbot

apt install -y certbot python3-certbot-apache

Step 3: Obtain SSL certificate

Stop Apache temporarily:

systemctl stop apache2

Run certbot:

certbot --apache

Follow the interactive prompts:

Which names would you like to activate HTTPS for?
-------------------------------------------------------------------------------
1: yourdomainname.com
2: rconfig.yourdomainname.com
-------------------------------------------------------------------------------
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):

Press Enter to select all domains, then choose redirect option:

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
-------------------------------------------------------------------------------
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2

Step 4: Verify Apache configuration

# Check configuration syntax
apache2ctl configtest

# View SSL site configuration
cat /etc/apache2/sites-available/000-default-le-ssl.conf

Step 5: Configure automatic renewal

Ubuntu typically configures automatic renewal via systemd timer. Verify:

# Check timer status
systemctl status certbot.timer

# Enable timer if not active
systemctl enable certbot.timer
systemctl start certbot.timer

Step 6: Test renewal process

certbot renew --dry-run

Expected output:

Congratulations, all simulated renewals succeeded

Alternative: Manual crontab setup

If systemd timer is unavailable:

crontab -e

Add:

0 */12 * * * /usr/bin/certbot renew --quiet --post-hook "systemctl reload apache2"

Step 7: Start Apache

systemctl start apache2
systemctl enable apache2

Step 8: Verify HTTPS access

curl -I https://your-domain.com

Self-Signed - Rocky/RHEL

Self-Signed SSL - Rocky Linux/CentOS/RHEL

Note

Self-signed certificates generate browser warnings. Use only for internal networks or development environments.

Step 1: Install required packages

yum -y install mod_ssl openssl

Step 2: Create SSL directories

mkdir -p /etc/ssl/private
mkdir -p /etc/ssl/certs

Step 3: Generate private key

openssl genrsa -out /etc/ssl/private/rconfig.key 2048

Step 4: Generate certificate signing request (CSR)

openssl req -new -key /etc/ssl/private/rconfig.key -out /etc/ssl/certs/rconfig.csr

You’ll be prompted for certificate information:

Country Name (2 letter code) [XX]: US
State or Province Name (full name) []: California
Locality Name (eg, city) []: San Francisco
Organization Name (eg, company) []: Your Organization
Organizational Unit Name (eg, section) []: IT Department
Common Name (eg, your server's hostname) []: rconfig.yourdomainname.com
Email Address []: [email protected]

Step 5: Generate self-signed certificate

# Valid for 365 days (adjust -days value as needed)
openssl x509 -req -days 365 -in /etc/ssl/certs/rconfig.csr \
  -signkey /etc/ssl/private/rconfig.key \
  -out /etc/ssl/certs/rconfig.crt

Step 6: Set proper permissions

chmod 600 /etc/ssl/private/rconfig.key
chmod 644 /etc/ssl/certs/rconfig.crt
chown root:root /etc/ssl/private/rconfig.key
chown root:root /etc/ssl/certs/rconfig.crt

Step 7: Create SSL virtual host configuration

vim /etc/httpd/conf.d/rconfig-ssl.conf

Add the following configuration:

# HTTPS Virtual Host
<VirtualHost *:443>
    ServerName your-domain.com
    ServerAlias www.your-domain.com
    DocumentRoot /var/www/html/rconfig8/current/public

    # SSL Configuration
    SSLEngine on
    SSLCertificateFile /etc/ssl/certs/rconfig.crt
    SSLCertificateKeyFile /etc/ssl/private/rconfig.key

    # Modern SSL/TLS Configuration
    SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
    SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384
    SSLHonorCipherOrder off
    SSLSessionTickets off

    # Security Headers
    Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
    Header always set X-Frame-Options DENY
    Header always set X-Content-Type-Options nosniff
    Header always set X-XSS-Protection "1; mode=block"
    Header always set Referrer-Policy "strict-origin-when-cross-origin"

    # Laravel Application Configuration
    <Directory /var/www/html/rconfig8/current/public>
        Options -Indexes +FollowSymLinks
        AllowOverride All
        Require all granted
    </Directory>

    # Error and Access Logs
    ErrorLog /var/log/httpd/rconfig-ssl-error.log
    CustomLog /var/log/httpd/rconfig-ssl-access.log combined
</VirtualHost>

# HTTP to HTTPS Redirect
<VirtualHost *:80>
    ServerName your-domain.com
    ServerAlias www.your-domain.com
    Redirect permanent / https://your-domain.com/
</VirtualHost>

Step 8: Test Apache configuration

httpd -t

Expected output:

Syntax OK

Step 9: Restart Apache

systemctl restart httpd
systemctl enable httpd

Step 10: Configure firewall

firewall-cmd --permanent --add-service=http
firewall-cmd --permanent --add-service=https
firewall-cmd --reload

Step 11: Verify HTTPS access

curl -Ik https://your-domain.com

Self-Signed - Ubuntu

Self-Signed SSL - Ubuntu

Note

Self-signed certificates generate browser warnings. Use only for internal networks or development environments.

Step 1: Install required packages

apt update
apt install -y apache2 openssl

Step 2: Enable required Apache modules

a2enmod ssl
a2enmod headers
a2enmod rewrite

Step 3: Create SSL directories

mkdir -p /etc/ssl/private
mkdir -p /etc/ssl/certs

Step 4: Generate private key

openssl genrsa -out /etc/ssl/private/rconfig.key 2048

Step 5: Generate certificate signing request (CSR)

openssl req -new -key /etc/ssl/private/rconfig.key -out /etc/ssl/certs/rconfig.csr

You’ll be prompted for certificate information:

Country Name (2 letter code) [XX]: US
State or Province Name (full name) []: California
Locality Name (eg, city) []: San Francisco
Organization Name (eg, company) []: Your Organization
Organizational Unit Name (eg, section) []: IT Department
Common Name (eg, your server's hostname) []: rconfig.yourdomainname.com
Email Address []: [email protected]

Step 6: Generate self-signed certificate

# Valid for 365 days (adjust -days value as needed)
openssl x509 -req -days 365 -in /etc/ssl/certs/rconfig.csr \
  -signkey /etc/ssl/private/rconfig.key \
  -out /etc/ssl/certs/rconfig.crt

Step 7: Set proper permissions

chmod 600 /etc/ssl/private/rconfig.key
chmod 644 /etc/ssl/certs/rconfig.crt
chown root:root /etc/ssl/private/rconfig.key
chown root:root /etc/ssl/certs/rconfig.crt

Step 8: Create SSL site configuration

vim /etc/apache2/sites-available/rconfig-ssl.conf

Add the following configuration:

# HTTPS Virtual Host
<VirtualHost *:443>
    ServerName your-domain.com
    ServerAlias www.your-domain.com
    DocumentRoot /var/www/html/rconfig8/current/public

    # SSL Configuration
    SSLEngine on
    SSLCertificateFile /etc/ssl/certs/rconfig.crt
    SSLCertificateKeyFile /etc/ssl/private/rconfig.key

    # Modern SSL/TLS Configuration
    SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
    SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384
    SSLHonorCipherOrder off
    SSLSessionTickets off

    # Security Headers
    Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
    Header always set X-Frame-Options DENY
    Header always set X-Content-Type-Options nosniff
    Header always set X-XSS-Protection "1; mode=block"
    Header always set Referrer-Policy "strict-origin-when-cross-origin"

    # Laravel Application Configuration
    <Directory /var/www/html/rconfig8/current/public>
        Options -Indexes +FollowSymLinks
        AllowOverride All
        Require all granted
    </Directory>

    # Error and Access Logs
    ErrorLog ${APACHE_LOG_DIR}/rconfig-ssl-error.log
    CustomLog ${APACHE_LOG_DIR}/rconfig-ssl-access.log combined
</VirtualHost>

# HTTP to HTTPS Redirect
<VirtualHost *:80>
    ServerName your-domain.com
    ServerAlias www.your-domain.com
    Redirect permanent / https://your-domain.com/
</VirtualHost>

Step 9: Test Apache configuration

apache2ctl configtest

Expected output:

Syntax OK

Step 10: Enable SSL site and disable default

a2ensite rconfig-ssl.conf
a2dissite 000-default.conf

Step 11: Restart Apache

systemctl restart apache2
systemctl enable apache2

Step 12: Configure firewall (if UFW is enabled)

ufw allow 'Apache Full'
ufw reload

Step 13: Verify HTTPS access

curl -Ik https://your-domain.com

Reverse Proxy Configuration

Note

When rConfig V8 operates behind a reverse proxy (such as nginx, HAProxy, or cloud load balancers), configure the application to recognize HTTPS connections properly.

Step 1: Edit environment configuration

vim /var/www/html/rconfig8/current/.env

Step 2: Add or modify the following variable

APP_FORCE_HTTPS=true

Step 3: Configure trusted proxy headers (if needed)

If your reverse proxy uses non-standard headers, also configure:

# Add these lines to .env
TRUSTED_PROXIES=*
# Or specify specific proxy IP addresses:
# TRUSTED_PROXIES=10.0.0.1,10.0.0.2

Step 4: Save and exit

Press Esc, then type :wq and hit Enter.

Step 5: Clear application cache

php /var/www/html/rconfig8/current/artisan config:clear
php /var/www/html/rconfig8/current/artisan cache:clear
php /var/www/html/rconfig8/current/artisan route:clear
php /var/www/html/rconfig8/current/artisan view:clear

Step 6: Verify configuration

# Check if HTTPS is enforced
curl -I http://your-domain.com

You should see a redirect to HTTPS or the application responding with HTTPS-aware headers.

Verification and Testing

Basic HTTPS Verification

Test HTTPS response:

curl -I https://your-domain.com

Expected headers should include:

HTTP/2 200
strict-transport-security: max-age=63072000; includeSubDomains; preload
x-frame-options: DENY
x-content-type-options: nosniff

Test HTTP to HTTPS redirect:

curl -I http://your-domain.com

Expected response:

HTTP/1.1 301 Moved Permanently
Location: https://your-domain.com/

Certificate Validation

Check certificate details:

openssl s_client -connect your-domain.com:443 -servername your-domain.com | openssl x509 -noout -text

Verify certificate expiration:

echo | openssl s_client -servername your-domain.com -connect your-domain.com:443 2>/dev/null | openssl x509 -noout -dates

SSL Configuration Testing

Online SSL testing tools:

• SSL Labs SSL Test - Comprehensive SSL/TLS configuration analysis
• SSL Checker - Quick certificate validation
• Mozilla Observatory - Security headers and best practices

Tip

Use the Mozilla SSL Configuration Generator to generate optimized SSL configurations for your environment.

Troubleshooting

Configuration Issues

Apache fails to start

Symptoms:

• Apache service fails to start after SSL configuration
• Error messages in system logs

Diagnosis:

Check Apache configuration syntax:

# Rocky/RHEL/CentOS
httpd -t

# Ubuntu
apache2ctl configtest

Check Apache error logs:

# Rocky/RHEL/CentOS
tail -50 /var/log/httpd/error_log

# Ubuntu
tail -50 /var/log/apache2/error.log

Common Causes:

1. Syntax errors in virtual host configuration
2. Missing or incorrect SSL certificate paths
3. SSL module not loaded
4. Port 443 already in use by another process

Resolution:

For syntax errors, review the error message and correct the configuration file:

# Rocky/RHEL/CentOS
vim /etc/httpd/conf.d/rconfig-ssl.conf

# Ubuntu
vim /etc/apache2/sites-available/rconfig-ssl.conf

For missing SSL module:

# Rocky/RHEL/CentOS
yum install -y mod_ssl

# Ubuntu
a2enmod ssl

Check if port 443 is in use:

netstat -tlnp | grep :443
# or
ss -tlnp | grep :443

Certificate file permission errors

Symptoms:

• Apache logs show “Permission denied” for certificate files
• SSL handshake failures

Diagnosis:

Check current permissions:

ls -la /etc/ssl/private/rconfig.key
ls -la /etc/ssl/certs/rconfig.crt

Resolution:

Set correct permissions and ownership:

chmod 600 /etc/ssl/private/rconfig.key
chmod 644 /etc/ssl/certs/rconfig.crt
chown root:root /etc/ssl/private/rconfig.key
chown root:root /etc/ssl/certs/rconfig.crt

Restart Apache:

# Rocky/RHEL/CentOS
systemctl restart httpd

# Ubuntu
systemctl restart apache2

HTTP to HTTPS redirect not working

Symptoms:

• HTTP requests are not redirected to HTTPS
• Users can access site via HTTP

Diagnosis:

Test redirect manually:

curl -I http://your-domain.com

Check virtual host configuration:

# Rocky/RHEL/CentOS
httpd -S

# Ubuntu
apache2ctl -S

Resolution:

Verify HTTP virtual host has redirect directive:

<VirtualHost *:80>
    ServerName your-domain.com
    Redirect permanent / https://your-domain.com/
</VirtualHost>

If using .htaccess, ensure mod_rewrite is enabled:

# Ubuntu
a2enmod rewrite
systemctl restart apache2

Network Issues

Firewall blocking HTTPS connections

Symptoms:

• HTTPS works locally but not remotely
• Connection timeout when accessing via HTTPS
• Certificate works but clients cannot connect

Diagnosis:

Check if firewall is active:

# Rocky/RHEL/CentOS
firewall-cmd --state

# Ubuntu
ufw status

Test local vs. remote connectivity:

# Local test
curl -I https://localhost

# Remote test (from another machine)
telnet your-domain.com 443

Resolution:

Allow HTTPS through firewall:

# Rocky/RHEL/CentOS
firewall-cmd --permanent --add-service=https
firewall-cmd --permanent --add-service=http
firewall-cmd --reload

# Verify rules
firewall-cmd --list-services

# Ubuntu
ufw allow 80/tcp
ufw allow 443/tcp
ufw reload

# Verify rules
ufw status

For cloud environments, also check:

• Security group rules (AWS, Azure, GCP)
• Network ACLs
• Load balancer configuration

SELinux blocking certificate access

Symptoms:

• Apache cannot read certificate files despite correct permissions
• SELinux audit logs show denials
• Only occurs on RHEL/CentOS/Rocky systems

Diagnosis:

Check SELinux status:

getenforce

Check for SELinux denials:

ausearch -m avc -ts recent | grep httpd

Resolution:

Set correct SELinux context for certificate files:

semanage fcontext -a -t httpd_sys_content_t "/etc/ssl/certs/rconfig.crt"
semanage fcontext -a -t httpd_sys_content_t "/etc/ssl/private/rconfig.key"
restorecon -Rv /etc/ssl/

If semanage is not available:

yum install -y policycoreutils-python-utils

Allow Apache to read certificate locations:

setsebool -P httpd_read_user_content 1

Restart Apache:

systemctl restart httpd

Certificate Issues

Let’s Encrypt certificate generation fails

Symptoms:

• Certbot fails with validation errors
• Domain validation cannot complete
• Rate limit errors

Diagnosis:

Check domain accessibility from public internet:

curl -I http://your-domain.com

Verify DNS resolution:

nslookup your-domain.com
dig your-domain.com

Check certbot logs:

tail -50 /var/log/letsencrypt/letsencrypt.log

Common Causes:

1. Domain not publicly accessible (internal network)
2. DNS not propagated or misconfigured
3. Port 80 blocked by firewall
4. Web server not running during validation
5. Rate limits exceeded (5 certificates per domain per week)

Resolution:

For DNS issues, verify A record points to correct IP:

dig +short your-domain.com

For firewall issues, temporarily allow port 80:

# Rocky/RHEL/CentOS
firewall-cmd --add-service=http

For rate limit issues, use staging environment for testing:

certbot --apache --staging

Once working, obtain production certificate:

certbot --apache --force-renewal

SSL certificate warnings in browser

Symptoms:

• Browser shows “Not Secure” or certificate warning
• Certificate error messages
• Users must manually accept certificate

Diagnosis:

Check certificate details in browser (click on padlock icon)

Verify certificate chain:

openssl s_client -connect your-domain.com:443 -servername your-domain.com

For self-signed certificates:

This behavior is expected and normal. Self-signed certificates are not trusted by browsers because they’re not issued by a recognized Certificate Authority.

Solutions:

1. Use Let’s Encrypt for production environments
2. Add self-signed certificate to browser’s trusted certificates (for development)
3. Add certificate to organization’s certificate store (for internal networks)

For Let’s Encrypt certificates:

Common Causes:

1. Certificate expired
2. Domain name mismatch
3. Missing intermediate certificates
4. Mixed content (HTTP resources on HTTPS page)

Resolution:

Verify certificate is not expired:

echo | openssl s_client -servername your-domain.com -connect your-domain.com:443 2>/dev/null | openssl x509 -noout -dates

Check certificate matches domain:

echo | openssl s_client -servername your-domain.com -connect your-domain.com:443 2>/dev/null | openssl x509 -noout -subject

Renew expired certificate:

certbot renew --force-renewal

SSL renewal issues (Let’s Encrypt)

Symptoms:

• Certificate not renewing automatically
• Renewal errors in logs
• Certificate expired

Diagnosis:

Test renewal manually:

certbot renew --dry-run

Check crontab:

crontab -l | grep certbot

Check systemd timer (Ubuntu):

systemctl status certbot.timer
systemctl list-timers | grep certbot

Check certbot logs:

tail -50 /var/log/letsencrypt/letsencrypt.log

Resolution:

For missing cron job:

crontab -e
# Add: 0 */12 * * * /usr/bin/certbot renew --quiet --post-hook "systemctl reload httpd"

For systemd timer issues (Ubuntu):

systemctl enable certbot.timer
systemctl start certbot.timer

For renewal failures, check:

1. Domain is still publicly accessible
2. Port 80 is open
3. Web server is running
4. No conflicting virtual hosts

Force manual renewal:

certbot renew --force-renewal

Best Practices

Security

Use strong TLS protocols: Disable outdated protocols (SSLv3, TLSv1.0, TLSv1.1) and use only TLS 1.2 and TLS 1.3.

Implement security headers: Configure HTTP security headers (HSTS, X-Frame-Options, CSP) to protect against common attacks.

Regular certificate renewal: Monitor certificate expiration dates. Let’s Encrypt certificates expire every 90 days—automated renewal is essential.

Protect private keys: Set restrictive permissions (600) on private key files. Never commit private keys to version control or share them.

Use strong key lengths: Generate RSA keys with at least 2048 bits. Consider 4096 bits for long-term certificates.

Performance

Enable HTTP/2: Modern browsers support HTTP/2 over TLS, significantly improving page load times for rConfig.

Configure session caching: Use SSL session tickets or session caching to reduce handshake overhead for returning clients.

Optimize cipher suites: Order cipher suites to prefer ECDHE for forward secrecy while maintaining compatibility.

Maintenance

Monitor certificate expiration: Set up alerts 30 days before certificate expiration. Test renewal processes regularly.

Review logs periodically: Check Apache SSL error logs for handshake failures or certificate issues.

Document custom configurations: Maintain documentation for any customizations to SSL configuration for future reference.

Test after updates: Verify SSL functionality after system updates or Apache configuration changes.

Organization

Standardize certificate locations: Use consistent paths across all servers (/etc/ssl/private/, /etc/ssl/certs/).

Name certificates clearly: Use descriptive names like rconfig-prod.crt or rconfig-dev.crt to identify purpose.

Backup certificates: Include SSL certificates and private keys in backup procedures. Store securely offline.

Related Documentation

• Authentication Overview - User authentication methods and configuration
• User Management - Creating and managing user accounts
• Role-Based Access Control - Configuring permissions and access levels
• Security Best Practices - General security recommendations for rConfig
• Security Best Practices - Comprehensive security hardening guide
• Firewall Configuration - Configuring firewall rules for rConfig
• Apache Configuration - Web server optimization and tuning
• Reverse Proxy Setup - Configuring nginx or HAProxy in front of Apache

Quick Reference

Certificate File Locations

OS Type	Private Key	Certificate	Apache Config
Rocky/RHEL/CentOS	/etc/ssl/private/rconfig.key	/etc/ssl/certs/rconfig.crt	/etc/httpd/conf.d/
Ubuntu	/etc/ssl/private/rconfig.key	/etc/ssl/certs/rconfig.crt	/etc/apache2/sites-available/

Common Commands

Rocky/RHEL/CentOS

# Check Apache syntax
httpd -t

# View virtual hosts
httpd -S

# Restart Apache
systemctl restart httpd

# View error logs
tail -f /var/log/httpd/error_log

# Check certificate expiration
openssl x509 -in /etc/ssl/certs/rconfig.crt -noout -dates

# Test SSL connection
openssl s_client -connect your-domain.com:443

# Renew Let's Encrypt certificate
certbot renew --force-renewal

# Test certificate renewal
certbot renew --dry-run

Ubuntu

# Check Apache syntax
apache2ctl configtest

# View virtual hosts
apache2ctl -S

# Restart Apache
systemctl restart apache2

# View error logs
tail -f /var/log/apache2/error.log

# Check certificate expiration
openssl x509 -in /etc/ssl/certs/rconfig.crt -noout -dates

# Test SSL connection
openssl s_client -connect your-domain.com:443

# Renew Let's Encrypt certificate
certbot renew --force-renewal

# Test certificate renewal
certbot renew --dry-run

SSL Configuration Checklist

Use this checklist to verify your SSL implementation:

Pre-Installation:

• Domain configured and resolving to server
• DNS A record pointing to correct IP address
• Firewall allows ports 80 and 443
• Apache installed and running
• Root/sudo access available

Let’s Encrypt Installation:

• Certbot installed successfully
• Certificate obtained without errors
• HTTP to HTTPS redirect configured
• Automatic renewal configured (cron or systemd)
• Test renewal completed successfully
• Apache reloads after certificate renewal

Self-Signed Installation:

• Private key generated (2048-bit minimum)
• Certificate signing request (CSR) created
• Self-signed certificate generated
• File permissions set correctly (600 for key, 644 for cert)
• Virtual host configuration created
• HTTP to HTTPS redirect configured

Post-Installation Verification:

• Apache configuration syntax valid (httpd -t or apache2ctl configtest)
• Apache started without errors
• HTTPS accessible from browser
• HTTP redirects to HTTPS
• Security headers present in response
• SSL certificate details correct
• No mixed content warnings
• Certificate expiration date recorded

For Reverse Proxy:

• APP_FORCE_HTTPS=true set in .env
• Trusted proxy configuration set if needed
• Application cache cleared
• HTTPS detection working correctly

Security Verification:

• Only TLS 1.2 and 1.3 enabled
• Strong cipher suites configured
• HSTS header configured
• Security headers present (X-Frame-Options, X-Content-Type-Options)
• SSL Labs test shows A or A+ rating (for production)

Certificate Renewal Schedule

Certificate Type	Validity Period	Renewal Frequency	Automation
Let’s Encrypt	90 days	Every 60 days	Automatic via cron/systemd
Self-Signed	User-defined (typically 365 days)	Before expiration	Manual
Commercial CA	1-2 years	30 days before expiration	Manual or vendor-specific

Firewall Rules Quick Reference

firewalld (Rocky/RHEL)

# Add HTTP and HTTPS services
firewall-cmd --permanent --add-service=http
firewall-cmd --permanent --add-service=https
firewall-cmd --reload

# Verify rules
firewall-cmd --list-services

# Add specific ports (alternative)
firewall-cmd --permanent --add-port=80/tcp
firewall-cmd --permanent --add-port=443/tcp
firewall-cmd --reload

UFW (Ubuntu)

# Allow HTTP and HTTPS
ufw allow 80/tcp
ufw allow 443/tcp
ufw reload

# Verify rules
ufw status

# Allow Apache Full (HTTP + HTTPS)
ufw allow 'Apache Full'

iptables

# Allow HTTP
iptables -A INPUT -p tcp --dport 80 -j ACCEPT

# Allow HTTPS
iptables -A INPUT -p tcp --dport 443 -j ACCEPT

# Save rules (method varies by distribution)
# Rocky/RHEL/CentOS
iptables-save > /etc/sysconfig/iptables

# Ubuntu/Debian
iptables-save > /etc/iptables/rules.v4

Summary

SSL/TLS encryption is essential for securing rConfig V8 deployments, protecting sensitive network device credentials and configuration data during transmission. This guide covered both Let’s Encrypt certificates for production environments requiring trusted certificates and self-signed certificates for internal or development use.

Key takeaways:

• Let’s Encrypt provides free, automated, and trusted certificates ideal for production environments with public-facing domains
• Self-signed certificates are suitable for internal networks and development but generate browser warnings
• Automatic renewal is critical for Let’s Encrypt certificates, which expire every 90 days
• Security headers enhance protection against common web vulnerabilities and should always be configured
• Reverse proxy environments require additional configuration via the APP_FORCE_HTTPS environment variable
• Regular testing of SSL configuration and renewal processes prevents unexpected certificate expiration

Proper SSL implementation ensures that rConfig V8 features requiring HTTPS, such as clipboard operations and API integrations, function correctly while maintaining the security posture required for managing critical network infrastructure.

For environments requiring advanced SSL configuration, enterprise support, or assistance with complex scenarios, consult the Apache SSL documentation or contact rConfig support.