Setup SSL on a Raspberry Pi in 2 minutes

UPDATE: Lets Encypt have an auto install bot and it’s a signed certificate, meaning no warning! https://letsencrypt.org/

 

Granted this is a self signed certificate and not one from an issuing authority, but for most domestic uses it’s fine.

Make a directory called ssl

Code: Select all

sudo mkdir /etc/apache2/ssl

Create the certificate

Code: Select all

sudo openssl req -x509 -nodes -days 1095 -newkey rsa:2048 -out /etc/apache2/ssl/server.crt -keyout /etc/apache2/ssl/server.key

for the domain name I used my ddns.net domain, and that’s fine, but it has to be a domain name and not an IP.

Here’s my ouput

Generating a 2048 bit RSA private key
………………………+++
………………………………………………………………+++
writing new private key to ‘/etc/apache2/ssl/server1.key’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [AU]:UK
State or Province Name (full name) [Some-State]:Yorkshire!
Locality Name (eg, city) []:Home
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Dazbobaby inc.
Organizational Unit Name (eg, section) []:Admin
Common Name (e.g. server FQDN or YOUR name) []:mydomain.ddns.net
Email Address []:admin@mydomain.ddns.net

Install the SSL mod for Apache2

Code: Select all

sudo a2enmod ssl

Restart Apache:

Code: Select all

sudo service apache2 restart

Create a file and symbolic link to the sites-enabled and sites-default folders

Code: Select all

sudo ln -s /etc/apache2/sites-available/default-ssl.conf /etc/apache2/sites-enabled/000-default-ssl.conf

Edit the file.

Code: Select all

sudo nano /etc/apache2/sites-enabled/000-default-ssl.conf

Insert these two lines before </VirtualHost>

Code: Select all

SSLCertificateFile    /etc/apache2/ssl/server.crt
SSLCertificateKeyFile /etc/apache2/ssl/server.key

Now browse to your site with HTTPS:// and accept the new security certificate

Source: https://hallard.me/enable-ssl-for-apach … 5-minutes/

Setup redirection from port 80 (insecure) to 443
Edit /etc/apache2/sites-enabled.conf
Add this:

Code: Select all

<VirtualHost *:80>
   ServerName http://mydomain.ddns.net
   Redirect permanent / https://mydomain.ddns.net/
</VirtualHost>

Restart apache

About The Bionic Cyclist

I am a keen technophile and have been since I was a kid. I was amazed when one of my friends invented the wheel, and I've been nuts about technology ever since.

Do not go gentle into that good night,
Old age should burn and rave at close of day;
Rage, rage against the dying of the light.

This website.
View All Posts

Dylan Thomas, 1914 - 1953

Do not go gentle into that good night,
Old age should burn and rave at close of day;
Rage, rage against the dying of the light.

Though wise men at their end know dark is right,
Because their words had forked no lightning they
Do not go gentle into that good night.

Good men, the last wave by, crying how bright
Their frail deeds might have danced in a green bay,
Rage, rage against the dying of the light.

Wild men who caught and sang the sun in flight,
And learn, too late, they grieved it on its way,
Do not go gentle into that good night.

Grave men, near death, who see with blinding sight
Blind eyes could blaze like meteors and be gay,
Rage, rage against the dying of the light.

And you, my father, there on the sad height,
Curse, bless, me now with your fierce tears, I pray.
Do not go gentle into that good night.
Rage, rage against the dying of the light.

13 thoughts on “Setup SSL on a Raspberry Pi in 2 minutes

  1. Pingback: Install Nextcloud cloud server on a Raspberry Pi – The Bionic Cyclist E-Bike Rider

  2. Pingback: In the Wake of WannaCry, how to be secure? – The Bionic Cyclist E-Bike Rider

  3. Hello my Name is Ferry,

    So i was following your instruction to enable SSL in my raspberry pi. it was working fine but there i can see that the https: getting strike-through with red words.

    Here is the error message :
    Your connection is not private

    Attackers might be trying to steal your information from yourdomain.ddns.net (for example, passwords, messages, or credit cards). Learn more
    NET::ERR_CERT_AUTHORITY_INVALID

    Subject: yourdomain.ddns.net
    Issuer: yourdomain.ddns.net
    Expires on: Oct 22, 2020
    Current date: Oct 23, 2017
    PEM encoded chain:
    —–BEGIN CERTIFICATE—–
    A lot of words
    —–END CERTIFICATE—–

    Thank you.
    Regards

  4. Hi, thanks much for this excellent tuto! For me, only one point missed:
    At the end (before the last server restart) I had to execute the following line to activate the redirect module
    sudo a2enmod rewrite

Leave a comment

Your email address will not be published. Required fields are marked *