SSL Setup for rConfig V8 Core
After reading this page, I can secure my rConfig V8 Core install with HTTPS using either a Let’s Encrypt certificate or a self-signed certificate, configure automatic renewal, and verify the connection. The same steps cover Rocky Linux, CentOS, RHEL, and Ubuntu.
When to use this
Section titled “When to use this”Use this page when you are bringing a new rConfig V8 Core server online, or when you need to add HTTPS to an existing HTTP-only install. Choose Let’s Encrypt for production servers with a public domain, or a self-signed certificate for internal, air-gapped, or development environments.
Prerequisites
Section titled “Prerequisites”- Domain configured and resolving to your server
- Apache web server installed and running
- Ports 80 (HTTP) and 443 (HTTPS) open on the firewall
- Sudo or root privileges on the server
- For Let’s Encrypt: the domain must be publicly accessible so certbot can complete validation
Which certificate type should I use?
Section titled “Which certificate type should I use?”Let’s Encrypt certificates
Section titled “Let’s Encrypt certificates”Best for production environments with public-facing domains.
- Free, automated certificate management
- Trusted by all major browsers
- 90-day validity with automated renewal
- Requires a publicly accessible domain, valid DNS records, and port 80 open for validation
Self-signed certificates
Section titled “Self-signed certificates”Best for internal networks, development, and testing environments.
- No external dependencies, works in air-gapped environments
- Full control over certificate properties
- Browsers show a security warning because the certificate is not issued by a trusted Certificate Authority
- Not suitable for public-facing production environments
Set up SSL
Section titled “Set up SSL”Pick the tab that matches your certificate type and operating system.
Let’s Encrypt on Rocky Linux, CentOS, RHEL
Section titled “Let’s Encrypt on Rocky Linux, CentOS, RHEL”-
Update system packages.
Terminal window yum -y update -
Install
mod_ssl.Terminal window yum -y install mod_ssl -
Install certbot and its dependencies.
Terminal window # Enable EPEL repositoryyum -y install epel-release# Install required utilitiesyum -y install yum-utils# Install certbot for Apacheyum -y install certbot python3-certbot-apache -
Stop Apache so certbot can bind to port 80.
Terminal window systemctl stop httpd -
Run certbot and follow the interactive prompts.
Terminal window certbot --apacheSelect which domains to activate HTTPS for:
Which names would you like to activate HTTPS for?-------------------------------------------------------------------------------1: yourdomainname.com2: rconfig.yourdomainname.com-------------------------------------------------------------------------------Select the appropriate numbers separated by commas and/or spaces, or leave inputblank to select all options shown (Enter 'c' to cancel):Press
Enterto select all domains, then choose the redirect option:Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.-------------------------------------------------------------------------------1: No redirect - Make no further changes to the webserver configuration.2: Redirect - Make all requests redirect to secure HTTPS access. Choose this fornew sites, or if you're confident your site works on HTTPS. You can undo thischange by editing your web server's configuration.-------------------------------------------------------------------------------Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2 -
Verify the Apache configuration that certbot wrote.
Terminal window # Check configuration syntaxhttpd -t# View SSL virtual host configurationcat /etc/httpd/conf/httpd-le-ssl.conf -
Configure automatic renewal with a cron job.
Terminal window crontab -eAdd this line to renew certificates twice daily:
Terminal window 0 */12 * * * /usr/bin/certbot renew --quiet --post-hook "systemctl reload httpd" -
Test the renewal process.
Terminal window certbot renew --dry-runA successful simulation reports:
Congratulations, all simulated renewals succeeded -
Start and enable Apache.
Terminal window systemctl start httpdsystemctl enable httpd -
Verify HTTPS access.
Terminal window curl -I https://your-domain.com
Let’s Encrypt on Ubuntu
Section titled “Let’s Encrypt on Ubuntu”-
Update system packages.
Terminal window apt update && apt upgrade -y -
Install certbot.
Terminal window apt install -y certbot python3-certbot-apache -
Stop Apache so certbot can bind to port 80.
Terminal window systemctl stop apache2 -
Run certbot and follow the interactive prompts.
Terminal window certbot --apacheSelect which domains to activate HTTPS for:
Which names would you like to activate HTTPS for?-------------------------------------------------------------------------------1: yourdomainname.com2: rconfig.yourdomainname.com-------------------------------------------------------------------------------Select the appropriate numbers separated by commas and/or spaces, or leave inputblank to select all options shown (Enter 'c' to cancel):Press
Enterto select all domains, then choose the redirect option:Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.-------------------------------------------------------------------------------1: No redirect - Make no further changes to the webserver configuration.2: Redirect - Make all requests redirect to secure HTTPS access. Choose this fornew sites, or if you're confident your site works on HTTPS. You can undo thischange by editing your web server's configuration.-------------------------------------------------------------------------------Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2 -
Verify the Apache configuration that certbot wrote.
Terminal window # Check configuration syntaxapache2ctl configtest# View SSL site configurationcat /etc/apache2/sites-available/000-default-le-ssl.conf -
Confirm automatic renewal. Ubuntu usually configures this via a systemd timer.
Terminal window # Check timer statussystemctl status certbot.timer# Enable the timer if it is not activesystemctl enable certbot.timersystemctl start certbot.timerIf the systemd timer is unavailable, add a cron job instead:
Terminal window crontab -eTerminal window 0 */12 * * * /usr/bin/certbot renew --quiet --post-hook "systemctl reload apache2" -
Test the renewal process.
Terminal window certbot renew --dry-runA successful simulation reports:
Congratulations, all simulated renewals succeeded -
Start and enable Apache.
Terminal window systemctl start apache2systemctl enable apache2 -
Verify HTTPS access.
Terminal window curl -I https://your-domain.com
Self-signed certificate on Rocky Linux, CentOS, RHEL
Section titled “Self-signed certificate on Rocky Linux, CentOS, RHEL”-
Install the required packages.
Terminal window yum -y install mod_ssl openssl -
Create the SSL directories.
Terminal window mkdir -p /etc/ssl/privatemkdir -p /etc/ssl/certs -
Generate the private key.
Terminal window openssl genrsa -out /etc/ssl/private/rconfig.key 2048 -
Generate the certificate signing request (CSR) and answer the prompts.
Terminal window openssl req -new -key /etc/ssl/private/rconfig.key -out /etc/ssl/certs/rconfig.csrCountry Name (2 letter code) [XX]: USState or Province Name (full name) []: CaliforniaLocality Name (eg, city) []: San FranciscoOrganization Name (eg, company) []: Your OrganizationOrganizational Unit Name (eg, section) []: IT DepartmentCommon Name (eg, your server's hostname) []: rconfig.yourdomainname.comEmail Address []: admin@yourdomainname.com -
Generate the self-signed certificate.
Terminal window # Valid for 365 days (adjust -days value as needed)openssl x509 -req -days 365 -in /etc/ssl/certs/rconfig.csr \-signkey /etc/ssl/private/rconfig.key \-out /etc/ssl/certs/rconfig.crt -
Set the correct permissions and ownership.
Terminal window chmod 600 /etc/ssl/private/rconfig.keychmod 644 /etc/ssl/certs/rconfig.crtchown root:root /etc/ssl/private/rconfig.keychown root:root /etc/ssl/certs/rconfig.crt -
Create the SSL virtual host configuration.
Terminal window vim /etc/httpd/conf.d/rconfig-ssl.confAdd the following:
# HTTPS Virtual Host<VirtualHost *:443>ServerName your-domain.comServerAlias www.your-domain.comDocumentRoot /var/www/html/rconfig/public# SSL ConfigurationSSLEngine onSSLCertificateFile /etc/ssl/certs/rconfig.crtSSLCertificateKeyFile /etc/ssl/private/rconfig.key# Modern SSL/TLS ConfigurationSSLProtocol all -SSLv3 -TLSv1 -TLSv1.1SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384SSLHonorCipherOrder offSSLSessionTickets off# Security HeadersHeader always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"Header always set X-Frame-Options DENYHeader always set X-Content-Type-Options nosniffHeader always set X-XSS-Protection "1; mode=block"Header always set Referrer-Policy "strict-origin-when-cross-origin"# Laravel Application Configuration<Directory /var/www/html/rconfig/public>Options -Indexes +FollowSymLinksAllowOverride AllRequire all granted</Directory># Error and Access LogsErrorLog /var/log/httpd/rconfig-ssl-error.logCustomLog /var/log/httpd/rconfig-ssl-access.log combined</VirtualHost># HTTP to HTTPS Redirect<VirtualHost *:80>ServerName your-domain.comServerAlias www.your-domain.comRedirect permanent / https://your-domain.com/</VirtualHost> -
Test the Apache configuration. It should report
Syntax OK.Terminal window httpd -t -
Restart and enable Apache.
Terminal window systemctl restart httpdsystemctl enable httpd -
Open the firewall for HTTP and HTTPS.
Terminal window firewall-cmd --permanent --add-service=httpfirewall-cmd --permanent --add-service=httpsfirewall-cmd --reload -
Verify HTTPS access. The
-kflag accepts the untrusted self-signed certificate.Terminal window curl -Ik https://your-domain.com
Self-signed certificate on Ubuntu
Section titled “Self-signed certificate on Ubuntu”-
Install the required packages.
Terminal window apt updateapt install -y apache2 openssl -
Enable the required Apache modules.
Terminal window a2enmod ssla2enmod headersa2enmod rewrite -
Create the SSL directories.
Terminal window mkdir -p /etc/ssl/privatemkdir -p /etc/ssl/certs -
Generate the private key.
Terminal window openssl genrsa -out /etc/ssl/private/rconfig.key 2048 -
Generate the certificate signing request (CSR) and answer the prompts.
Terminal window openssl req -new -key /etc/ssl/private/rconfig.key -out /etc/ssl/certs/rconfig.csrCountry Name (2 letter code) [XX]: USState or Province Name (full name) []: CaliforniaLocality Name (eg, city) []: San FranciscoOrganization Name (eg, company) []: Your OrganizationOrganizational Unit Name (eg, section) []: IT DepartmentCommon Name (eg, your server's hostname) []: rconfig.yourdomainname.comEmail Address []: admin@yourdomainname.com -
Generate the self-signed certificate.
Terminal window # Valid for 365 days (adjust -days value as needed)openssl x509 -req -days 365 -in /etc/ssl/certs/rconfig.csr \-signkey /etc/ssl/private/rconfig.key \-out /etc/ssl/certs/rconfig.crt -
Set the correct permissions and ownership.
Terminal window chmod 600 /etc/ssl/private/rconfig.keychmod 644 /etc/ssl/certs/rconfig.crtchown root:root /etc/ssl/private/rconfig.keychown root:root /etc/ssl/certs/rconfig.crt -
Create the SSL site configuration.
Terminal window vim /etc/apache2/sites-available/rconfig-ssl.confAdd the following:
# HTTPS Virtual Host<VirtualHost *:443>ServerName your-domain.comServerAlias www.your-domain.comDocumentRoot /var/www/html/rconfig/public# SSL ConfigurationSSLEngine onSSLCertificateFile /etc/ssl/certs/rconfig.crtSSLCertificateKeyFile /etc/ssl/private/rconfig.key# Modern SSL/TLS ConfigurationSSLProtocol all -SSLv3 -TLSv1 -TLSv1.1SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384SSLHonorCipherOrder offSSLSessionTickets off# Security HeadersHeader always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"Header always set X-Frame-Options DENYHeader always set X-Content-Type-Options nosniffHeader always set X-XSS-Protection "1; mode=block"Header always set Referrer-Policy "strict-origin-when-cross-origin"# Laravel Application Configuration<Directory /var/www/html/rconfig/public>Options -Indexes +FollowSymLinksAllowOverride AllRequire all granted</Directory># Error and Access LogsErrorLog ${APACHE_LOG_DIR}/rconfig-ssl-error.logCustomLog ${APACHE_LOG_DIR}/rconfig-ssl-access.log combined</VirtualHost># HTTP to HTTPS Redirect<VirtualHost *:80>ServerName your-domain.comServerAlias www.your-domain.comRedirect permanent / https://your-domain.com/</VirtualHost> -
Test the Apache configuration. It should report
Syntax OK.Terminal window apache2ctl configtest -
Enable the SSL site and disable the default site.
Terminal window a2ensite rconfig-ssl.confa2dissite 000-default.conf -
Restart and enable Apache.
Terminal window systemctl restart apache2systemctl enable apache2 -
Open the firewall (if UFW is enabled).
Terminal window ufw allow 'Apache Full'ufw reload -
Verify HTTPS access. The
-kflag accepts the untrusted self-signed certificate.Terminal window curl -Ik https://your-domain.com
Configure rConfig behind a reverse proxy
Section titled “Configure rConfig behind a reverse proxy”When rConfig V8 Core runs behind a reverse proxy (nginx, HAProxy, or a cloud load balancer), the application must be told to recognise HTTPS connections terminated upstream.
-
Edit the environment configuration.
Terminal window vim /var/www/html/rconfig/.env -
Add or modify the force-HTTPS variable.
Terminal window APP_FORCE_HTTPS=true -
Configure trusted proxy headers if your proxy uses non-standard headers.
Terminal window # Add these lines to .envTRUSTED_PROXIES=*# Or specify specific proxy IP addresses:# TRUSTED_PROXIES=10.0.0.1,10.0.0.2 -
Save and exit. In vim, press
Esc, type:wq, then pressEnter. -
Clear the application cache.
Terminal window php /var/www/html/rconfig/artisan config:clearphp /var/www/html/rconfig/artisan cache:clearphp /var/www/html/rconfig/artisan route:clearphp /var/www/html/rconfig/artisan view:clear -
Verify the application redirects HTTP to HTTPS or returns HTTPS-aware headers.
Terminal window curl -I http://your-domain.com
How do I verify the SSL setup?
Section titled “How do I verify the SSL setup?”Check the HTTPS response
Section titled “Check the HTTPS response”curl -I https://your-domain.comThe headers should include:
HTTP/2 200strict-transport-security: max-age=63072000; includeSubDomains; preloadx-frame-options: DENYx-content-type-options: nosniffCheck the HTTP to HTTPS redirect
Section titled “Check the HTTP to HTTPS redirect”curl -I http://your-domain.comThe response should be:
HTTP/1.1 301 Moved PermanentlyLocation: https://your-domain.com/Validate the certificate
Section titled “Validate the certificate”# View full certificate detailsopenssl s_client -connect your-domain.com:443 -servername your-domain.com | openssl x509 -noout -text
# Check expiration datesecho | openssl s_client -servername your-domain.com -connect your-domain.com:443 2>/dev/null | openssl x509 -noout -datesOnline testing tools
Section titled “Online testing tools”- SSL Labs SSL Test for comprehensive SSL/TLS configuration analysis
- SSL Checker for quick certificate validation
- Mozilla Observatory for security headers and best practices
Common gotchas
Section titled “Common gotchas”SSL maintenance best practices
Section titled “SSL maintenance best practices”- Disable outdated protocols (SSLv3, TLS 1.0, TLS 1.1) and serve only TLS 1.2 and TLS 1.3.
- Keep the security headers (HSTS, X-Frame-Options, X-Content-Type-Options) in your virtual host.
- Protect private keys with
600permissions and never commit them to version control. - Generate RSA keys of at least 2048 bits, or 4096 bits for long-lived certificates.
- Enable HTTP/2 over TLS to reduce page load times.
- Set an alert 30 days before any certificate expires and test the renewal path regularly.
- Use consistent certificate paths (
/etc/ssl/private/,/etc/ssl/certs/) and descriptive names likerconfig-prod.crt. - Include certificates and private keys in your backup procedures and store them securely offline.
Quick reference
Section titled “Quick reference”Certificate file locations
Section titled “Certificate file locations”| OS Type | Private Key | Certificate | Apache Config |
|---|---|---|---|
| Rocky/RHEL/CentOS | /etc/ssl/private/rconfig.key | /etc/ssl/certs/rconfig.crt | /etc/httpd/conf.d/ |
| Ubuntu | /etc/ssl/private/rconfig.key | /etc/ssl/certs/rconfig.crt | /etc/apache2/sites-available/ |
Common commands
Section titled “Common commands”# Check Apache syntaxhttpd -t
# View virtual hostshttpd -S
# Restart Apachesystemctl restart httpd
# View error logstail -f /var/log/httpd/error_log
# Check certificate expirationopenssl x509 -in /etc/ssl/certs/rconfig.crt -noout -dates
# Test SSL connectionopenssl s_client -connect your-domain.com:443
# Renew Let's Encrypt certificatecertbot renew --force-renewal
# Test certificate renewalcertbot renew --dry-run# Check Apache syntaxapache2ctl configtest
# View virtual hostsapache2ctl -S
# Restart Apachesystemctl restart apache2
# View error logstail -f /var/log/apache2/error.log
# Check certificate expirationopenssl x509 -in /etc/ssl/certs/rconfig.crt -noout -dates
# Test SSL connectionopenssl s_client -connect your-domain.com:443
# Renew Let's Encrypt certificatecertbot renew --force-renewal
# Test certificate renewalcertbot renew --dry-runCertificate renewal schedule
Section titled “Certificate renewal schedule”| Certificate Type | Validity Period | Renewal Frequency | Automation |
|---|---|---|---|
| Let’s Encrypt | 90 days | Every 60 days | Automatic via cron or systemd |
| Self-Signed | User-defined (typically 365 days) | Before expiration | Manual |
| Commercial CA | 1 to 2 years | 30 days before expiration | Manual or vendor-specific |
Firewall rules
Section titled “Firewall rules”# Add HTTP and HTTPS servicesfirewall-cmd --permanent --add-service=httpfirewall-cmd --permanent --add-service=httpsfirewall-cmd --reload
# Verify rulesfirewall-cmd --list-services
# Add specific ports (alternative)firewall-cmd --permanent --add-port=80/tcpfirewall-cmd --permanent --add-port=443/tcpfirewall-cmd --reload# Allow HTTP and HTTPSufw allow 80/tcpufw allow 443/tcpufw reload
# Verify rulesufw status
# Allow Apache Full (HTTP + HTTPS)ufw allow 'Apache Full'# Allow HTTPiptables -A INPUT -p tcp --dport 80 -j ACCEPT
# Allow HTTPSiptables -A INPUT -p tcp --dport 443 -j ACCEPT
# Save rules (method varies by distribution)# Rocky/RHEL/CentOSiptables-save > /etc/sysconfig/iptables
# Ubuntu/Debianiptables-save > /etc/iptables/rules.v4What’s next
Section titled “What’s next”- Harden your rConfig V8 Core server for the full server-side security checklist
- Configure single sign-on once HTTPS is in place, since most SSO providers require it
- Tune the operating system for Apache, firewall, and supporting service configuration