Add HTTPS to Apache on Linux — ResourceSource.com

⚙ Your Setup

Domain Name Without http:// — just the domain

Server IP Address Find yours: curl ifconfig.me

Already done? Toggle to skip:

DNS is already pointed to my server

Showing

Run this from any machine:

dig +short example.com
dig +short www.example.com

If both return your server's IP → DNS is set. If they return nothing or a different IP → you still need Step 1.

Certbot is already installed

Showing

Run this on your server:

certbot --version

See a version number (e.g. "certbot 2.x.x") → it's installed. Get "command not found" → you need Step 2.

Security hardening is already done (or skip — it's optional)

Showing

Check if directory listing is off and hidden files are blocked:

# See if security-hardening.conf (or similar) already exists:
ls /etc/apache2/conf-enabled/ | grep -i secur

# Check if ServerTokens is already set:
grep -r "ServerTokens" /etc/apache2/

# Check if directory listing is disabled:
grep -r "Options.*-Indexes" /etc/apache2/

If you see ServerTokens Prod and -Indexes in existing configs, hardening is likely already in place. You can toggle this off above or skip Step 5.

Firewall ports 80 & 443 are open

Showing

Check which firewall you use, then run the matching command:

# UFW (Ubuntu/Debian):
sudo ufw status

# firewalld (CentOS/RHEL):
sudo firewall-cmd --list-all

# iptables (manual):
sudo iptables -L -n | grep -E '80|443'

Look for rules allowing ports 80 and 443. If you see them → they're open. Also check your cloud provider's Security Group if on AWS/GCP/Azure — those are separate from the OS firewall.

Auto-renewal is already set up (or I'll do it later)

Showing

Run these to see if Certbot auto-renewal is already active:

# Check for a systemd timer:
sudo systemctl list-timers | grep certbot

# Or check for a cron job:
sudo crontab -l | grep certbot
cat /etc/cron.d/certbot 2>/dev/null

If you see a timer or cron entry mentioning certbot → renewal is already configured. If nothing comes back → you need the verification in the final step.

Configure DNS Records DNS

Log into your domain registrar (Namecheap, Cloudflare, GoDaddy, etc.) and create or update these two A records:

            DNS Records
          
Type    Host     Value                   TTL
A       @        YOUR_SERVER_IP          300
A       www      YOUR_SERVER_IP          300

ℹ

DNS propagation can take 5 minutes to 48 hours. Verify with:
dig +short example.com

Install Certbot Certbot

            Ubuntu / Debian
            
          
sudo apt update
sudo apt install certbot python3-certbot-apache -y

            CentOS / RHEL
            
          
sudo dnf install epel-release -y
sudo dnf install certbot python3-certbot-apache -y

Create VHost (Port 80) Apache

First, create the document root directory:

            Terminal
            
          
sudo mkdir -p /var/www/example.com
sudo chown -R www-data:www-data /var/www/example.com

Next, create the config file:

Creating a file with nano:

Run: sudo nano /etc/apache2/sites-available/example.com.conf
Paste the content below
Save: Ctrl + O → Enter
Exit: Ctrl + X

            example.com.conf
          
<VirtualHost *:80>
    ServerName    example.com
    ServerAlias   www.example.com
    DocumentRoot  /var/www/example.com

    ErrorLog      ${APACHE_LOG_DIR}/example.com-error.log
    CustomLog     ${APACHE_LOG_DIR}/example.com-access.log combined
</VirtualHost>

Then enable the site:

            Terminal
            
          
sudo a2ensite example.com.conf
sudo apache2ctl configtest

Open Firewall Security

            UFW (Ubuntu/Debian)
            
          
sudo ufw allow 'Apache Full'
sudo ufw status

Security Hardening Security Optional

Site is behind Cloudflare

This is shared hosting

I use .htaccess files

Create config with nano:

sudo nano /etc/apache2/conf-available/security-hardening.conf
Paste the content below
Save and Exit

            security-hardening.conf
          
# BLOCK HIDDEN FILES & DIRECTORIES
<DirectoryMatch "/\.">
    Require all denied
</DirectoryMatch>

# Allow .well-known for Certbot validation
<Directory /var/www/example.com/.well-known>
    Require all granted
</Directory>

# BLOCK BACKUP & CONFIG FILES
<FilesMatch "(\.(bak|config|sql|fla|psd|ini|log|sh|inc|swp|dist)|~)$">
    Require all denied
</FilesMatch>

# DIRECTORY OPTIONS
<Directory /var/www/example.com>
    Options -Indexes +FollowSymLinks
    AllowOverride None
</Directory>

ServerTokens Prod
ServerSignature Off

<IfModule mod_headers.c>
    Header always set X-Content-Type-Options "nosniff"
    Header always set X-Frame-Options "SAMEORIGIN"
    Header always set X-XSS-Protection "1; mode=block"
    Header always set Referrer-Policy "strict-origin-when-cross-origin"
</IfModule>

Enable the config:

Terminal

sudo a2enconf security-hardening
sudo a2enmod headers rewrite ssl

Restart Apache Apache

Terminal

sudo apache2ctl configtest
sudo systemctl restart apache2

Run Certbot Certbot

            Terminal
            
sudo certbot --apache -d example.com -d www.example.com

Restart Post-Certbot Apache

Terminal

sudo systemctl restart apache2
sudo systemctl is-active apache2

Verify HTTPS Verify

Create a test page:

sudo nano /var/www/example.com/index.html

            /var/www/example.com/index.html
          
<!DOCTYPE html>
<html>
<head><title>HTTPS Test</title></head>
<body>
  <h1>It works!</h1>
  <p>HTTPS is running on example.com</p>
  <p>Served at: <script>document.write(new Date())</script></p>
</body>
</html>

Test it:

Terminal

curl -I https://example.com

Confirm Auto-Renewal Certbot

Terminal

sudo certbot renew --dry-run
sudo systemctl list-timers | grep certbot

Add HTTPS to an Apache Site on Linux

⚙ Your Setup

Configure DNS Records DNS

Install Certbot Certbot

Create VHost (Port 80) Apache

Open Firewall Security

Security Hardening Security Optional

Restart Apache Apache

Run Certbot Certbot

Restart Post-Certbot Apache

Verify HTTPS Verify

Confirm Auto-Renewal Certbot