SSL/TLS Setup: Encrypting Web Traffic
TLS (Transport Layer Security) is mandatory for any production website. Modern browsers flag unencrypted sites as insecure, search engines penalize them, and regulations like PCI DSS require it. This guide covers automated certificate provisioning, manual installation, hardened cipher configuration, and verification.
Certbot: Automated Let's Encrypt Certificates
Certbot is the standard client for free, automated TLS certificates from Let's Encrypt.
Installation
# Debian/Ubuntu
sudo apt update
sudo apt install certbot
# For Nginx integration
sudo apt install python3-certbot-nginx
# For Apache integration
sudo apt install python3-certbot-apache
Obtaining a Certificate
# Nginx -- Certbot modifies your server block automatically
sudo certbot --nginx -d example.com -d www.example.com
# Apache -- same concept
sudo certbot --apache -d example.com -d www.example.com
# Standalone mode (no web server running)
sudo certbot certonly --standalone -d example.com
Certbot installs a systemd timer for automatic renewal:
# Verify the timer is active
sudo systemctl status certbot.timer
# Test renewal without making changes
sudo certbot renew --dry-run
Manual Certificate Installation
If you purchase a certificate from a commercial CA or use an internal PKI:
# Place files (example paths)
/etc/ssl/certs/example.com.crt # server certificate
/etc/ssl/certs/example.com-chain.crt # intermediate chain
/etc/ssl/private/example.com.key # private key (mode 0600)
Combine the certificate and chain into a single file for Nginx:
cat example.com.crt example.com-chain.crt > fullchain.pem
Protocol and Cipher Configuration
Nginx
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 1d;
ssl_session_tickets off;
Apache
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384
SSLHonorCipherOrder off
SSLSessionTickets off
Disable TLSv1.0 and TLSv1.1 unconditionally -- they have known vulnerabilities and modern browsers no longer support them.
HSTS (HTTP Strict Transport Security)
HSTS tells browsers to always use HTTPS for your domain:
# Nginx
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
# Apache
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
The max-age of 63072000 seconds equals two years. The preload directive
makes the domain eligible for browser HSTS preload lists, but apply it only
after you are confident HTTPS works perfectly everywhere.
OCSP Stapling
OCSP stapling improves TLS handshake performance by having the server fetch and cache the certificate's revocation status:
# Nginx
ssl_stapling on;
ssl_stapling_verify on;
resolver 1.1.1.1 8.8.8.8 valid=300s;
resolver_timeout 5s;
# Apache
SSLUseStapling on
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off
SSLStaplingCache shmcb:/tmp/stapling_cache(128000)
Certificate Chains
A complete chain includes: server certificate -> intermediate CA -> root CA. The root CA is in the browser's trust store, so you typically send only the server certificate and intermediate(s).
If visitors see "certificate not trusted" errors, the chain is likely incomplete. Verify with:
# Check the chain served by a live server
openssl s_client -connect example.com:443 -servername example.com < /dev/null 2>/dev/null | openssl x509 -noout -subject -issuer -dates
# Verify a local certificate file against its chain
openssl verify -CAfile chain.pem server.crt
SSL Labs Test
After deploying, test your configuration at https://www.ssllabs.com/ssltest/. Aim for an A+ rating. Common issues that lower the grade:
- Weak cipher suites (CBC-mode ciphers, 3DES)
- Missing HSTS header
- Incomplete certificate chain
- TLSv1.0 or TLSv1.1 still enabled
Return to the Web Servers hub or continue to Nginx Guide and Web Security.