How to enable TLS 1.3 in Apache service of Linux Cloud Servers (without Cipher Suites included)

2020-05-08 By Aaron 2377 Views linux tls apache security
2 reviews

Transportation Layer Security (TLS) is a cryptographic protocol and it provides the security for the delivery of data over the internet. TLS 1.3 is faster than TLS 1.2 because the handshake for the TLS 1.3 is reduced to just one round-trip.

This can easily be enabled in a Linux based server. This guide outlines the basic steps involved in in a Linux server (provided Apache service is already installed in the server).


Ubuntu


Requirements:

  1. Server running on Ubuntu 18.04.

  2. A valid domain name and properly configured A/AAAA/CNAME DNS records.

  3. A valid TLS certificate. Here using from Let’s encrypt.

  4. Apache version 2.4.36 or greater.

  5. OpenSSL version 1.1.1 or greater.


Before the beginning:

  1. Check the ubuntu version by using the below command.

    # lsb_release -ds
    

    tls1

  2. By using the below command ensure that the server is up to date.

    # apt update && sudo apt upgrade
    

    tls2

  3. Install the needed packages by using the below command.

    # apt install  zip unzip curl wget git socat
    

    tls3


Step A - Install the acme.sh client and obtain a TLS certificate from Let's Encrypt.

acme.sh is used to install, renew and remove SSL certificates and it is written purely in Shell (Unix shell) language, compatible with bash, dash, and sh shells.

  1. Install acme.sh with the below commands.

    # git clone https://github.com/acmesh-official/acme.sh
    # cd acme.sh
    # ./acme.sh --install –accountemail [email protected]
    # cd ~
    # source ~/.bashrc
    

    tls4

    tls5

    NOTE: Replace the mail account with your mail account name.

  2. Check the version of acme.sh.

    # acme.sh --version
    

    tls6

  3. Obtain RSA and ECDSA certificates for the domain.

    # RSA
    acme.sh --issue --standalone -d testlayerstack.com.com --keylength 2048
    
    # ECC/ECDSA
    acme.sh --issue --standalone -d testlayerstack.com --keylength ec-256
    

    tls7

    tls8

  4. Create directories to store your certs and keys in then, install and copy certificates to /etc/letsencrypt.

    # mkdir -p /etc/letsencrypt/testlayerstack.com
    
    # mkdir -p /etc/letsencrypt/testlayerstack.com_ecc
    

    tls9

    # acme.sh --install-cert -d testlayerstack.com --cert-file /etc/letsencrypt/testlayerstack.com/cert.pem --key-file /etc/letsencrypt/testlayerstack.com/private.key --fullchain-file /etc/letsencrypt/testlayerstack.com/fullchain.pem
    
    # acme.sh --install-cert -d testlayerstack.com --ecc --cert-file etc/letsencrypt/testlayerstack.com_ecc/cert.pem --key-file /etc/letsencrypt/testlayerstack.com_ecc/private.key --fullchain-file /etc/letsencrypt/testlayerstack.com_ecc/fullchain.pem
    

    tls10

    tls11

  5. After running the above commands, your certificates and keys will be in the below mentioned locations:

    RSA: /etc/letsencrypt/testlayerstack.com
    
    ECC/ECDSA: /etc/letsencrypt/testlayerstack.com_ecc
    


Step B - Configure Apache for TLS 1.3

  1. Install the latest version of Apache

    # apt install apache2
    

    tls12

  2. Check the Apache version then, start and enable using below commands.

    # apache2 -v
    
    # systemctl start apache2.service
    
    # systemctl enable apache2.service
    

    tls13

  3. Now enable the SSL module on the server with the below command and restart the Apache to activate.

    # a2enmod ssl
    

    tls14

    # systemctl restart apache2
    

    tls15

  4. Run the below command and add the following basic configurations in that file.

    # vim /etc/apache2/sites-available/testlayerstack.com.conf
    

    tls2

  5. Then Save and Exit the file.

    NOTE: Replace testlayerstack.com in commands with your valid domain name.

  6. Run the below command to link the file to the sites-enabled directory.

    # a2ensite testlayerstack.com.conf
    

    tls17

  7. Now reload the Apache to activate the new configuration.

    # systemctl restart apache2
    

    tls18

  8. Verify TLS 1.3 by using any browser dev tools or SSL Labs service such as given below.

    https://www.ssllabs.com/ssltest/
    


CentOS


Requirements:

  1. Server running on CentOS 8.

  2. A valid domain name and properly configured A/AAAA/CNAME DNS records.

  3. A valid TLS certificate. Here using from Let’s encrypt.

  4. Apache version 2.4.36 or greater.

  5. OpenSSL version 1.1.1 or greater.


Before the beginning:

  1. Check the CentOS version by using the below command.

    # cat /etc/centos-release
    

    tls19

  2. Use the below command ensure that the server is up to date.

    # dnf update
    

    tls20

  3. Install the needed packages by using the below command.

    # dnf install -y socat git
    

    tls21


Step A - Install the acme.sh client and obtain a TLS certificate from Let's Encrypt.

acme.sh is used to install, renew and remove SSL certificates and it is written purely in Shell (Unix shell) language, compatible with bash, dash, and sh shells.

  1. Install acme.sh with the below commands.

    # git clone https://github.com/acmesh-official/acme.sh
    # cd acme.sh
    # ./acme.sh --install –accountemail [email protected]
    # cd ~
    # source ~/.bashrc
    

    tls22

    tls23

    Note: Replace the mail account with your mail account name.

  2. Check the version of acme.sh.

    # acme.sh --version
    

    tls24

  3. Obtain RSA and ECDSA certificates for the domain.

    # RSA
    acme.sh --issue --standalone -d example.com --keylength 2048
    
    # ECC/ECDSA
    acme.sh --issue --standalone -d example.com --keylength ec-256
    

    tls26

    tls26

  4. Create directories to store your certs and keys in then, install and copy certificates to /etc/letsencrypt.

    # mkdir -p /etc/letsencrypt/testlayerstack.com
    
    # mkdir -p /etc/letsencrypt/testlayerstack.com_ecc
    

    tls27

    # acme.sh --install-cert -d testlayerstack.com --cert-file /etc/letsencrypt/testlayerstack.com/cert.pem --key-file /etc/letsencrypt/testlayerstack.com/private.key --fullchain-file /etc/letsencrypt/testlayerstack.com/fullchain.pem
    
    # acme.sh --install-cert -d testlayerstack.com --ecc --cert-file etc/letsencrypt/testlayerstack.com_ecc/cert.pem --key-file /etc/letsencrypt/testlayerstack.com_ecc/private.key --fullchain-file /etc/letsencrypt/testlayerstack.com_ecc/fullchain.pem
    

    tls28

    tls29

  5. After running the above commands, your certificates and keys will be in the below mentioned locations:

    RSA: /etc/letsencrypt/testlayerstack.com
    
    ECC/ECDSA: /etc/letsencrypt/testlayerstack.com_ecc
    


Step B - Configure Apache for TLS 1.3

  1. Download and install the latest version of Apache and its SSL module.

    # dnf install httpd mod_ssl
    

    tls30

  2. Check the Apache version then, start and enable using below commands.

    # httpd -v
    
    # systemctl start httpd.service
    
    # systemctl enable httpd.service
    

    tls31

  3. Run the below command and add the following basic configurations in that file.

    # vim /etc/httpd/conf.d/testlayerstack.com.conf
    

    tls32

  4. Save the file and exit.

    NOTE: Replace testlayerstack.com in commands with your valid domain name.

  5. Reload Apache to activate in the new configuration.

  6. Verify TLS 1.3 by using any browser dev tools or SSL Labs service such as given below.

    https://www.ssllabs.com/ssltest/
    


Debian


Requirements:

  1. Server running on Debian.

  2. A valid domain name and properly configured A/AAAA/CNAME DNS records.

  3. A valid TLS certificate. Here using from Let’s encrypt.

  4. Apache version 2.4.36 or greater.

  5. OpenSSL version 1.1.1 or greater.


Before the beginning:,

  1. Check the Debian version by using the below command.

    # lsb_release -ds
    

    tls33

  2. By using the below command ensure that the server is up to date.

    # apt update && sudo apt upgrade
    

    tls34

  3. Install the needed packages by using the below command.

    # apt install  zip unzip curl wget git socat
    

    tls35


Step A - Install the acme.sh client and obtain a TLS certificate from Let's Encrypt.

acme.sh is used to install, renew and remove SSL certificates and it is written purely in Shell (Unix shell) language, compatible with bash, dash, and sh shells.

  1. Install acme.sh with the below commands.

    # git clone https://github.com/acmesh-official/acme.sh
    # cd acme.sh
    # ./acme.sh --install –accountemail [[email protected]](mailto:[email protected])
    # cd ~
    # source ~/.bashrc
    

    tls36

    tls37

    Note: Replace the mail account with your mail account name.

  2. Check the version of acme.sh.

    # acme.sh --version
    

    tls33

  3. Obtain RSA and ECDSA certificates for the domain.

    # RSA
    acme.sh --issue --standalone -d example.com --keylength 2048
    
    # ECC/ECDSA
    acme.sh --issue --standalone -d example.com --keylength ec-256
    

    tls39

    tls40

  4. Create directories to store your certs and keys in then, install and copy certificates to /etc/letsencrypt.

    # mkdir -p /etc/letsencrypt/testlayerstack.com
    
    # mkdir -p /etc/letsencrypt/testlayerstack.com_ecc
    

    tls41

    # acme.sh --install-cert -d testlayerstack.com --cert-file /etc/letsencrypt/testlayerstack.com/cert.pem --key-file /etc/letsencrypt/testlayerstack.com/private.key --fullchain-file /etc/letsencrypt/testlayerstack.com/fullchain.pem
    
    # acme.sh --install-cert -d testlayerstack.com --ecc --cert-file etc/letsencrypt/testlayerstack.com_ecc/cert.pem --key-file /etc/letsencrypt/testlayerstack.com_ecc/private.key --fullchain-file /etc/letsencrypt/testlayerstack.com_ecc/fullchain.pem
    

    tls42

    tls43

  5. After running the above commands, your certificates and keys will be in the below mentioned locations:

    RSA: /etc/letsencrypt/testlayerstack.com
    
    ECC/ECDSA: /etc/letsencrypt/testlayerstack.com_ecc
    


Step B - Configure Apache for TLS 1.3

  1. Install the latest version of Apache.

    # apt install apache2
    

    tls44

  2. Check the Apache version then, start and enable using below commands.

    # apache2 -v
    

    tls45

    # systemctl start apache2.service
    
    # systemctl enable apache2.service
    

    tls46

  3. Now enable the SSL module on the server with the below command and restart the Apache to activate.

    # a2enmod ssl
    

    tls47

    # systemctl restart apache2
    

    tls48

  4. Run the below command and add the following basic configurations in that file.

    # vim /etc/apache2/sites-available/testlayerstack.com.conf
    

    tls49

  5. Then Save and Exit the file.

    > NOTE: Replace **testlayerstack.com** in commands with your valid domain name.
    
  6. Run the below command to link the file to the sites-enabled directory.

    # a2ensite testlayerstack.com.conf
    

    tls50

  7. Now reload the Apache to activate the new configuration.

    # systemctl restart apache2
    

    tls51

  8. Verify TLS 1.3 by using any browser dev tools or SSL Labs service such as given below.

    https://www.ssllabs.com/ssltest/
    


Related Tutorials

What do you think about this article?

Rate this article