The Moving Finger writes; and, having writ,
Moves on: nor all thy Piety nor Wit
Shall lure it back to cancel half a Line,
Nor all thy Tears wash out a Word of it.
Omar Khayyam
We are using lets encrypt as discussed earlier as the best solution here. It is needed to support HTTPS where the connection between the user and the web server is encrypted, otherwise the web site will only gain very limited acceptance as it is not considered secure.
See the following link for help with configuration
PiMyLifeUp - Raspberry Pi SSL Certificates using Let’s Encrypt
You will need to configure it to create the needed certificates and then for apache to use them with the web site.
You will need to tell letsencrypt to create the needed SSL certificates for your web site.
First step is to configure the letsencrypt plugin for apache with command
sudo certbot --apache
Next is to configure the needed domains and variants as SSL’s.
With a command such as (Note replace items in blue with your domain)
Note the pop, smtp, mail, imap, have been added for for email.
You can check that the certificate has been created successfully using
sudo certbot certificates
It should report something like
Found the following certs:
Certificate Name: example.com
Serial Number: 433bd2430c3877998f03214af8898faba7f
Key Type: RSA
Domains: example.com www.example.com pop.example.com smtp.example.com mail.example.com imap.example.com
Expiry Date: 2024-05-12 03:42:50+00:00 (VALID: 70 days)
Certificate Path: /etc/letsencrypt/live/example.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/example.com/privkey.pem
Edit file /etc/apache2/sites-available/example.com.conf with an editor such as nano
sudo nano /etc/apache2/sites-available/example.com.conf
Before the lines
The items in blue need changing for your own domain name.
Make sure the following line exist or add them.
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
You may need to add
ServerName example.com
ServerAlias www.example.com
to use the updated file /etc/apache2/sites-available/example.com.conf
first disable the existng site with
sudo a2dissite example.com.conf
Then enable the site with
sudo a2ensite example.com.conf
This puts example.com.conf into /etc/apache2/sites-enabled
You will need to restart apache to recognise the change with
sudo systemctl restart apache2
You should now have https://example.com functioning. If you have problems then look at the apache error.log (/var/log/apache2/error.log) and verify the changes made.
Once you have a functioning HTTPS site you can then check its security with several of the sites which report web security. This is covered later.