rConfig - SSL Configuration

5 mins V7 Pro V6 Core

This guide provides SSL configuration instructions for supported operating systems, covering both Let’s Encrypt (free, automated certificates) and self-signed certificates for internal/development use.

Note

It is strongly advised to implement SSL configuration to ensure secure connections. However, given the diverse range of environments and configurations, we are unable to offer direct support for this setup. For comprehensive guidance, please consult the relevant documentation for your chosen SSL solution.

Reverse Proxy

If you are using a reverse proxy, you need to configure the APP_FORCE_HTTPS environment variable to ensure that HTTPS is enforced. Follow these steps to set it up:

1. Open your .env file:

    vim /var/www/html/rconfig7/current/.env

2. Add the following line:

   APP_FORCE_HTTPS=true

3. Save and exit. Press Esc, then type :wq and hit Enter.

4. Clear the application cache:

   php /var/www/html/rconfig7/current/artisan rconfig:clear-all

SSL Configuration Generator

If you are looking for a quick way to generate your SSL configuration, you can use the Mozilla SSL Configuration Generator. This tool allows you to customize your SSL settings based on your server type and requirements.

Prerequisites

Before proceeding with SSL configuration, ensure:

• Your domain is properly configured and pointing to your server
• Apache is installed and running
• Firewall allows HTTP (port 80) and HTTPS (port 443) traffic
• For Let’s Encrypt: Domain must be publicly accessible for validation

SSL Configuration Options

Let's Encrypt - Rocky/RHEL

Let’s Encrypt SSL - Rocky Linux/CentOS/RHEL

Step 1: Update the system

yum -y update

Step 2: Install mod_ssl

yum -y install mod_ssl

Step 3: Install certbot

# Enable EPEL repository
yum -y install epel-release

# Install yum-utils
yum -y install yum-utils

# Install certbot for Apache
yum -y install certbot python3-certbot-apache

Step 4: Obtain SSL certificate

certbot --apache

Certbot will ask you for the names you would like to activate HTTPS for:

Which names would you like to activate HTTPS for?
-------------------------------------------------------------------------------
1: yourdomainname.com
2: rconfig.yourdomainname.com
-------------------------------------------------------------------------------
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):

Press enter to continue and then choose to redirect HTTP traffic to HTTPS:

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
-------------------------------------------------------------------------------
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2

Step 5: Configure automatic renewal

# Edit crontab
crontab -e

# Add this line for automatic renewal twice daily
0 */12 * * * /usr/bin/certbot renew --quiet

Step 6: Test renewal

certbot renew --dry-run

Let's Encrypt - Ubuntu

Let’s Encrypt SSL - Ubuntu

Step 1: Update the system

apt update && apt upgrade -y

Step 2: Install certbot

apt install -y certbot python3-certbot-apache

Step 3: Obtain SSL certificate

certbot --apache

Certbot will ask you for the names you would like to activate HTTPS for:

Which names would you like to activate HTTPS for?
-------------------------------------------------------------------------------
1: yourdomainname.com
2: rconfig.yourdomainname.com
-------------------------------------------------------------------------------
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):

Press enter to continue and then choose to redirect HTTP traffic to HTTPS:

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
-------------------------------------------------------------------------------
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2

Step 4: Configure automatic renewal

# Test automatic renewal
certbot renew --dry-run

# Verify systemd timer is active (Ubuntu handles this automatically)
systemctl status certbot.timer
systemctl enable certbot.timer

Step 5: If systemd timer is not available, use crontab

crontab -e
# Add: 0 */12 * * * /usr/bin/certbot renew --quiet

Self-Signed - Rocky/RHEL

Self-Signed SSL - Rocky Linux/CentOS/RHEL

Step 1: Install required packages

yum -y install mod_ssl openssl

Step 2: Create SSL directories

mkdir -p /etc/ssl/private
mkdir -p /etc/ssl/certs

Step 3: Generate private key and certificate

# Generate private key
openssl genrsa -out /etc/ssl/private/rconfig.key 2048

# Generate certificate signing request
openssl req -new -key /etc/ssl/private/rconfig.key -out /etc/ssl/certs/rconfig.csr

# Generate self-signed certificate (valid for 365 days)
openssl x509 -req -days 365 -in /etc/ssl/certs/rconfig.csr -signkey /etc/ssl/private/rconfig.key -out /etc/ssl/certs/rconfig.crt

Step 4: Set proper permissions

chmod 600 /etc/ssl/private/rconfig.key
chmod 644 /etc/ssl/certs/rconfig.crt

Step 5: Create SSL configuration

# Create SSL configuration file
vim /etc/httpd/conf.d/rconfig-ssl.conf

Add the following configuration:

# HTTPS Virtual Host
<VirtualHost *:443>
    ServerName your-domain.com
    DocumentRoot /var/www/html/rconfig7/current/public

    SSLEngine on
    SSLCertificateFile /etc/ssl/certs/rconfig.crt
    SSLCertificateKeyFile /etc/ssl/private/rconfig.key

    # Security headers
    Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
    Header always set X-Frame-Options DENY
    Header always set X-Content-Type-Options nosniff

    # Laravel specific configuration
    <Directory /var/www/html/rconfig7/current/public>
        AllowOverride All
        Require all granted
    </Directory>
</VirtualHost>

# HTTP to HTTPS redirect
<VirtualHost *:80>
    ServerName your-domain.com
    Redirect permanent / https://your-domain.com/
</VirtualHost>

Step 6: Restart Apache

systemctl restart httpd
systemctl enable httpd

Self-Signed - Ubuntu

Self-Signed SSL - Ubuntu

Step 1: Install required packages and enable modules

apt update
apt install -y apache2 openssl
a2enmod ssl
a2enmod headers

Step 2: Create SSL directories

mkdir -p /etc/ssl/private
mkdir -p /etc/ssl/certs

Step 3: Generate private key and certificate

# Generate private key
openssl genrsa -out /etc/ssl/private/rconfig.key 2048

# Generate certificate signing request
openssl req -new -key /etc/ssl/private/rconfig.key -out /etc/ssl/certs/rconfig.csr

# Generate self-signed certificate (valid for 365 days)
openssl x509 -req -days 365 -in /etc/ssl/certs/rconfig.csr -signkey /etc/ssl/private/rconfig.key -out /etc/ssl/certs/rconfig.crt

Step 4: Set proper permissions

chmod 600 /etc/ssl/private/rconfig.key
chmod 644 /etc/ssl/certs/rconfig.crt

Step 5: Create SSL site configuration

# Create SSL site configuration
vim /etc/apache2/sites-available/rconfig-ssl.conf

Add the following configuration:

# HTTPS Virtual Host
<VirtualHost *:443>
    ServerName your-domain.com
    DocumentRoot /var/www/html/rconfig7/current/public

    SSLEngine on
    SSLCertificateFile /etc/ssl/certs/rconfig.crt
    SSLCertificateKeyFile /etc/ssl/private/rconfig.key

    # Security headers
    Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
    Header always set X-Frame-Options DENY
    Header always set X-Content-Type-Options nosniff

    # Laravel specific configuration
    <Directory /var/www/html/rconfig7/current/public>
        AllowOverride All
        Require all granted
    </Directory>
</VirtualHost>

# HTTP to HTTPS redirect
<VirtualHost *:80>
    ServerName your-domain.com
    Redirect permanent / https://your-domain.com/
</VirtualHost>

Step 6: Enable site and restart Apache

a2ensite rconfig-ssl.conf
a2dissite 000-default.conf
systemctl restart apache2
systemctl enable apache2

Basic Troubleshooting

Common Issues and Solutions

1. Apache fails to start after SSL configuration

Check Apache configuration syntax:

# Rocky/RHEL/CentOS
httpd -t

# Ubuntu
apache2ctl configtest

Check Apache error logs:

# Rocky/RHEL/CentOS
tail -f /var/log/httpd/error_log

# Ubuntu
tail -f /var/log/apache2/error.log

2. Certificate file permission errors

Ensure correct permissions:

# Check current permissions
ls -la /etc/ssl/private/
ls -la /etc/ssl/certs/

# Set correct permissions
chmod 600 /etc/ssl/private/rconfig.key
chmod 644 /etc/ssl/certs/rconfig.crt

3. Firewall blocking HTTPS connections

Allow HTTPS through firewall:

# Rocky/RHEL/CentOS
firewall-cmd --permanent --add-service=https
firewall-cmd --permanent --add-service=http
firewall-cmd --reload

# Ubuntu
ufw allow 80/tcp
ufw allow 443/tcp
ufw reload

4. Let’s Encrypt certificate generation fails

Check domain accessibility:

# Test if domain is accessible from outside
curl -I http://your-domain.com

Verify DNS resolution:

nslookup your-domain.com

Check certbot logs:

tail -f /var/log/letsencrypt/letsencrypt.log

5. SSL certificate warnings in browser

For self-signed certificates, browsers will show security warnings. This is normal and expected. Users need to accept the certificate to proceed.

For Let’s Encrypt certificates, ensure:

• Domain name matches the certificate
• Certificate is not expired
• All certificate chain files are properly configured

6. HTTP to HTTPS redirect not working

Verify redirect configuration:

# Test redirect
curl -I http://your-domain.com

Check virtual host configuration:

# Rocky/RHEL/CentOS
httpd -S

# Ubuntu
apache2ctl -S

7. SSL renewal issues (Let’s Encrypt)

Test renewal manually:

certbot renew --dry-run

Check crontab:

crontab -l

Check systemd timer (Ubuntu):

systemctl status certbot.timer

Testing Your SSL Configuration

Verify HTTPS is working:

curl -I https://your-domain.com

Check SSL certificate details:

openssl s_client -connect your-domain.com:443 -servername your-domain.com

Test SSL configuration online:

• SSL Labs SSL Test
• SSL Checker

Getting Help

If you continue to experience issues:

1. Check the Apache error logs first
2. Verify your domain DNS configuration
3. Ensure firewall rules allow HTTP/HTTPS traffic
4. Test certificate generation manually
5. Consult the Apache SSL documentation for advanced configuration options