Menu Close

How to install and Enable TLS on Nginx Apache

tls 1 3

TLS 1.3 is the latest version of the Transport Layer Security protocol, it’s based on the existing 1.2 specifications with proper IETF standard: RFC 8446. It provides stronger security and higher performance improvements over its predecessors.

Requirements

Nginx version 1.13.0 or greater.
Apache version 2.4.37 or greater.
OpenSSL version 1.1.1 or greater.
A valid domain name with correctly configured DNS records.
A valid TLS certificate.

Install TLS Certificate from Let’s Encrypt

To obtain a free SSL Certificate from Let’s Encrypt, you need to install Acme.sh client and also few needed packages on Linux system as shown.

apt install -y socat git  [On Debian/Ubuntu]
dnf install -y socat git  [On RHEL/CentOS/Fedora]
mkdir /etc/letsencrypt
git clone https://github.com/Neilpang/acme.sh.git
cd acme.sh 
./acme.sh --install --home /etc/letsencrypt --accountemail 
your_email@example.com
cd ~
/etc/letsencrypt/acme.sh --issue --standalone --home /etc/letsencrypt -d 
example.com --ocsp-must-staple --keylength 2048
/etc/letsencrypt/acme.sh --issue --standalone --home /etc/letsencrypt -d example.com --ocsp-must-staple --keylength ec-256

NOTE: Replace example.com in the above command with your own domain name

Now Just you need to enable TLS 1.3 on your domain as explained below

Enable TLS 1.3 on Nginx

As I mentioned in the requirements above, that TLS 1.3 is supported starting from Nginx 1.13 version. If you are running the older Nginx version, you need to first upgrade to the latest version.

apt install nginx
yum install nginx

Check the Nginx version and the OpenSSL version against which Nginx was compiled (make sure that the nginx version is at least 1.14 and openssl version 1.1.1).

nginx -V

Simple output

nginx version: nginx/1.14.1
built by gcc 8.2.1 20180905 (Red Hat 8.2.1-3) (GCC) 
built with OpenSSL 1.1.1 FIPS  11 Sep 2018
TLS SNI support enabled

Just you need to start by enabling and verifying the Nginx installation

systemctl start nginx.service
systemctl enable nginx.service
systemctl status nginx.service

Then open the Nginx vhost configuration

vi /etc/nginx/conf.d/example.com.conf

Note: you can edit the vhost configuration file with any editor like nano

Now locate ssl_protocols directive and append TLSv1.3 at the end of the line as shown below

server {
  listen 443 ssl http2;
  listen [::]:443 ssl http2;

  server_name example.com;

  # RSA
  ssl_certificate /etc/letsencrypt/example.com/fullchain.cer;
  ssl_certificate_key /etc/letsencrypt/example.com/example.com.key;
  # ECDSA
  ssl_certificate /etc/letsencrypt/example.com_ecc/fullchain.cer;
  ssl_certificate_key /etc/letsencrypt/example.com_ecc/example.com.key;

  ssl_protocols TLSv1.2 TLSv1.3;
  ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
  ssl_prefer_server_ciphers on;
}

Last step, verify the configuration and reload Nginx

nginx -t
systemctl reload nginx.service

Enable TLS 1.3 in Apache

Note: If you are running the older version of Apache, you need to first upgrade to the latest version.
Please remember apache version on the requirements list
Apache version 2.4.37 or greater

to upgrade your apache to the latest version please apply the following commands

apt install apache2
yum install httpd

Once installed, you can verify the Apache and the OpenSSL version against which Apache was compiled.

httpd -V
openssl version

Now start by enabling and verifying the Apache installation

-------------- On Debian/Ubuntu -------------- 
systemctl start apache2.service
systemctl enable apache2.service
systemctl status apache2.service

-------------- On RHEL/CentOS/Fedora --------------
systemctl start httpd.service
systemctl enable httpd.service
systemctl status httpd.service

Then open the Apache virtual host configuration file using your favorite editor.

vi /etc/httpd/conf.d/vhost.conf
OR
vi /etc/apache2/apache2.conf

and locate ssl_protocols directive and append TLSv1.3 at the end of the line as shown below.

<VirtualHost *:443>
SSLEngine On

# RSA
ssl_certificate /etc/letsencrypt/example.com/fullchain.cer;
ssl_certificate_key /etc/letsencrypt/example.com/example.com.key;
# ECDSA
ssl_certificate /etc/letsencrypt/example.com_ecc/fullchain.cer;
ssl_certificate_key /etc/letsencrypt/example.com_ecc/example.com.key;

ssl_protocols TLSv1.2 TLSv1.3
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
ssl_prefer_server_ciphers on;
SSLCertificateFile /etc/letsencrypt/live/example.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/example.com/chain.pem

     ServerAdmin admin@example.com
     ServerName www.example.com
     ServerAlias example.com
    #DocumentRoot /data/httpd/htdocs/example.com/
    DocumentRoot /data/httpd/htdocs/example_hueman/
  # Log file locations
  LogLevel warn
  ErrorLog  /var/log/httpd/example.com/httpserror.log
  CustomLog "|/usr/sbin/rotatelogs /var/log/httpd/example.com/httpsaccess.log.%Y-%m-%d 86400" combined
</VirtualHost>

Finally, verify the configuration and reload Apache

-------------- On Debian/Ubuntu -------------- 
apache2 -t
systemctl reload apache2.service

-------------- On RHEL/CentOS/Fedora --------------
httpd -t
systemctl reload httpd.service

How to verify that your website is working with TLS

You can verify that the TLS is working by tapping your website with https like the following example:
https://www.lgvps.com
in the top bar of your browser, you will see that the connection is secured as shown in the following screenshot

tls https
tls https

that’s all you need to secure your website connection via TLS1.3.If you need help please don’t hesitate to leave a reply.
Best Regards

Leave a Reply

Your email address will not be published. Required fields are marked *