Skip to content

SSL Setup for rConfig V8 Core

After reading this page, I can secure my rConfig V8 Core install with HTTPS using either a Let’s Encrypt certificate or a self-signed certificate, configure automatic renewal, and verify the connection. The same steps cover Rocky Linux, CentOS, RHEL, and Ubuntu.

Use this page when you are bringing a new rConfig V8 Core server online, or when you need to add HTTPS to an existing HTTP-only install. Choose Let’s Encrypt for production servers with a public domain, or a self-signed certificate for internal, air-gapped, or development environments.

  • Domain configured and resolving to your server
  • Apache web server installed and running
  • Ports 80 (HTTP) and 443 (HTTPS) open on the firewall
  • Sudo or root privileges on the server
  • For Let’s Encrypt: the domain must be publicly accessible so certbot can complete validation

Best for production environments with public-facing domains.

  • Free, automated certificate management
  • Trusted by all major browsers
  • 90-day validity with automated renewal
  • Requires a publicly accessible domain, valid DNS records, and port 80 open for validation

Best for internal networks, development, and testing environments.

  • No external dependencies, works in air-gapped environments
  • Full control over certificate properties
  • Browsers show a security warning because the certificate is not issued by a trusted Certificate Authority
  • Not suitable for public-facing production environments

Pick the tab that matches your certificate type and operating system.

Let’s Encrypt on Rocky Linux, CentOS, RHEL

Section titled “Let’s Encrypt on Rocky Linux, CentOS, RHEL”
Rocky Linux logo for rConfig V8 Core SSL certificate setup on Rocky Linux, CentOS, and RHEL
  1. Update system packages.

    Terminal window
    yum -y update
  2. Install mod_ssl.

    Terminal window
    yum -y install mod_ssl
  3. Install certbot and its dependencies.

    Terminal window
    # Enable EPEL repository
    yum -y install epel-release
    # Install required utilities
    yum -y install yum-utils
    # Install certbot for Apache
    yum -y install certbot python3-certbot-apache
  4. Stop Apache so certbot can bind to port 80.

    Terminal window
    systemctl stop httpd
  5. Run certbot and follow the interactive prompts.

    Terminal window
    certbot --apache

    Select which domains to activate HTTPS for:

    Which names would you like to activate HTTPS for?
    -------------------------------------------------------------------------------
    1: yourdomainname.com
    2: rconfig.yourdomainname.com
    -------------------------------------------------------------------------------
    Select the appropriate numbers separated by commas and/or spaces, or leave input
    blank to select all options shown (Enter 'c' to cancel):

    Press Enter to select all domains, then choose the redirect option:

    Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
    -------------------------------------------------------------------------------
    1: No redirect - Make no further changes to the webserver configuration.
    2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
    new sites, or if you're confident your site works on HTTPS. You can undo this
    change by editing your web server's configuration.
    -------------------------------------------------------------------------------
    Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
  6. Verify the Apache configuration that certbot wrote.

    Terminal window
    # Check configuration syntax
    httpd -t
    # View SSL virtual host configuration
    cat /etc/httpd/conf/httpd-le-ssl.conf
  7. Configure automatic renewal with a cron job.

    Terminal window
    crontab -e

    Add this line to renew certificates twice daily:

    Terminal window
    0 */12 * * * /usr/bin/certbot renew --quiet --post-hook "systemctl reload httpd"
  8. Test the renewal process.

    Terminal window
    certbot renew --dry-run

    A successful simulation reports:

    Congratulations, all simulated renewals succeeded
  9. Start and enable Apache.

    Terminal window
    systemctl start httpd
    systemctl enable httpd
  10. Verify HTTPS access.

    Terminal window
    curl -I https://your-domain.com

When rConfig V8 Core runs behind a reverse proxy (nginx, HAProxy, or a cloud load balancer), the application must be told to recognise HTTPS connections terminated upstream.

  1. Edit the environment configuration.

    Terminal window
    vim /var/www/html/rconfig/.env
  2. Add or modify the force-HTTPS variable.

    Terminal window
    APP_FORCE_HTTPS=true
  3. Configure trusted proxy headers if your proxy uses non-standard headers.

    Terminal window
    # Add these lines to .env
    TRUSTED_PROXIES=*
    # Or specify specific proxy IP addresses:
    # TRUSTED_PROXIES=10.0.0.1,10.0.0.2
  4. Save and exit. In vim, press Esc, type :wq, then press Enter.

  5. Clear the application cache.

    Terminal window
    php /var/www/html/rconfig/artisan config:clear
    php /var/www/html/rconfig/artisan cache:clear
    php /var/www/html/rconfig/artisan route:clear
    php /var/www/html/rconfig/artisan view:clear
  6. Verify the application redirects HTTP to HTTPS or returns HTTPS-aware headers.

    Terminal window
    curl -I http://your-domain.com
Terminal window
curl -I https://your-domain.com

The headers should include:

HTTP/2 200
strict-transport-security: max-age=63072000; includeSubDomains; preload
x-frame-options: DENY
x-content-type-options: nosniff
Terminal window
curl -I http://your-domain.com

The response should be:

HTTP/1.1 301 Moved Permanently
Location: https://your-domain.com/
Terminal window
# View full certificate details
openssl s_client -connect your-domain.com:443 -servername your-domain.com | openssl x509 -noout -text
# Check expiration dates
echo | openssl s_client -servername your-domain.com -connect your-domain.com:443 2>/dev/null | openssl x509 -noout -dates
  • Disable outdated protocols (SSLv3, TLS 1.0, TLS 1.1) and serve only TLS 1.2 and TLS 1.3.
  • Keep the security headers (HSTS, X-Frame-Options, X-Content-Type-Options) in your virtual host.
  • Protect private keys with 600 permissions and never commit them to version control.
  • Generate RSA keys of at least 2048 bits, or 4096 bits for long-lived certificates.
  • Enable HTTP/2 over TLS to reduce page load times.
  • Set an alert 30 days before any certificate expires and test the renewal path regularly.
  • Use consistent certificate paths (/etc/ssl/private/, /etc/ssl/certs/) and descriptive names like rconfig-prod.crt.
  • Include certificates and private keys in your backup procedures and store them securely offline.
OS TypePrivate KeyCertificateApache Config
Rocky/RHEL/CentOS/etc/ssl/private/rconfig.key/etc/ssl/certs/rconfig.crt/etc/httpd/conf.d/
Ubuntu/etc/ssl/private/rconfig.key/etc/ssl/certs/rconfig.crt/etc/apache2/sites-available/
Terminal window
# Check Apache syntax
httpd -t
# View virtual hosts
httpd -S
# Restart Apache
systemctl restart httpd
# View error logs
tail -f /var/log/httpd/error_log
# Check certificate expiration
openssl x509 -in /etc/ssl/certs/rconfig.crt -noout -dates
# Test SSL connection
openssl s_client -connect your-domain.com:443
# Renew Let's Encrypt certificate
certbot renew --force-renewal
# Test certificate renewal
certbot renew --dry-run
Certificate TypeValidity PeriodRenewal FrequencyAutomation
Let’s Encrypt90 daysEvery 60 daysAutomatic via cron or systemd
Self-SignedUser-defined (typically 365 days)Before expirationManual
Commercial CA1 to 2 years30 days before expirationManual or vendor-specific
Terminal window
# Add HTTP and HTTPS services
firewall-cmd --permanent --add-service=http
firewall-cmd --permanent --add-service=https
firewall-cmd --reload
# Verify rules
firewall-cmd --list-services
# Add specific ports (alternative)
firewall-cmd --permanent --add-port=80/tcp
firewall-cmd --permanent --add-port=443/tcp
firewall-cmd --reload