How to Install TLS on a Linux Server

Himanshu Joshi Knowledgebase

TLS (Transport Layer Security) is a protocol that ensures secure communication over a network. It’s crucial for protecting sensitive information, ensuring privacy, and securing online transactions. Installing TLS on your Linux server is a crucial step in encrypting communication between your server and users, thereby boosting trust and enhancing your website’s SEO ranking.

In this article, we are covering how to install TLS on a Linux Server.

Why Use TLS on Your Linux Server?

TLS on a Linux Server

TLS provides end-to-end encryption, protecting data from unauthorized access during transmission. It authenticates your server’s identity, ensuring that clients can trust the information they receive. Beyond security, TLS is essential for compliance with data privacy laws such as GDPR.

Additionally, search engines like Google prioritize HTTPS websites, improving SEO rankings. Whether you’re running a small website or a large web application, implementing TLS is a must.

Check Out | SSL vs TLS | What is the Major Difference?

Prerequisites

Before you begin the installation process, ensure that you have the following prerequisites:

  • Root or sudo privileges: You need administrative access to install the necessary packages.
  • A valid domain name pointing to your server (ensure your DNS is configured correctly).
  • A web server like Apache or Nginx is installed and running on your Linux server.
  • OpenSSL is installed for creating SSL/TLS certificates.
  • Internet connection for downloading the necessary dependencies.
  • Firewall configuration: Ensure that ports 80 (HTTP) and 443 (HTTPS) are open for inbound traffic.

Install TLS on a Linux Server

Installing TLS on your Linux server is primarily done using OpenSSL, a toolkit that provides support for SSL and TLS protocols. It enables you to create self-signed certificates or request certificates from a trusted Certificate Authority (CA).

In this section, we’ll guide you through the process of setting up TLS on your server.

Install OpenSSL

OpenSSL is required for generating certificates and enabling TLS support. Here’s how to install it on your server.

  • For Ubuntu/Debian-based systems:
sudo apt update
sudo apt install openssl
  • For CentOS/RHEL-based systems:
sudo yum install openssl

Generate a TLS Certificate

You can either generate a self-signed certificate or request a certificate from a trusted Certificate Authority (CA). For production environments, it’s recommended to use a CA-issued certificate.

For a self-signed certificate (good for testing or internal use):

openssl req -x509 -newkey rsa:4096 -keyout /etc/ssl/private/server.key -out /etc/ssl/certs/server.crt -days 365

This command creates a new RSA key pair and generates a certificate valid for 365 days. It will prompt you for details like the country, state, and domain name.

To create a Certificate Signing Request (CSR) for a CA-issued certificate:

openssl req -new -key /etc/ssl/private/server.key -out /etc/ssl/certs/server.csr

The CSR file can be submitted to a Certificate Authority to obtain a signed certificate.

Install and Configure the TLS Certificate

Once you install TLS, you now have your certificate; it’s time to configure your web server to use it.

For Apache:

  • Edit the Apache SSL configuration file (usually found at /etc/apache2/sites-available/default-ssl.conf or /etc/httpd/conf.d/ssl.conf).
  • Add or modify the following lines to point to your certificate and key files:
SSLCertificateFile /etc/ssl/certs/server.crt SSLCertificateKeyFile /etc/ssl/private/server.key
  • Enable SSL and restart Apache:
sudo a2enmod sslsudo systemctl restart apache2

For Nginx:

  • Modify the server block configuration in your Nginx configuration file (usually found at /etc/nginx/sites-available/default or /etc/nginx/nginx.conf).
  • Add the following lines:
ssl_certificate /etc/ssl/certs/server.crt;ssl_certificate_key /etc/ssl/private/server.key;
  • Restart Nginx:
sudo systemctl restart nginx

Verify TLS Installation

Once you’ve installed and configured TLS, you can verify it by checking your server’s SSL status.

  • Open a browser and navigate to https://yourdomain.com. The padlock icon should appear, indicating that the connection is secure.
  • Alternatively, you can use the openssl command to test the connection:
openssl s_client -connect yourdomain.com:443

This will show detailed information about the SSL/TLS connection.

  • Optionally, you can use the SSL Labs test to verify your server’s SSL/TLS configuration.

Automating TLS Certificate Renewal

TLS certificates from Let’s Encrypt are valid for 90 days. To ensure continuous secure communication, it’s crucial to set up automatic renewal.

For Let’s Encrypt:

  • Install Certbot, a tool that automatically renews and installs TLS certificates from Let’s Encrypt:
sudo apt install certbot
  • Set up automatic renewal by adding a cron job to your system:
sudo crontab -e
  • Add the following line to run the Certbot renewal process periodically:
0 0 * * * certbot renew --quiet
  • Test the renewal process using:
sudo certbot renew --dry-run

Troubleshooting TLS Installation Issues

While the TLS installation process is typically smooth, you may encounter issues. Here are some common problems and solutions:

  • Certificate not trusted: This may happen if you’re using a self-signed certificate. You’ll need to either switch to a CA-issued certificate or add the certificate to trusted authorities.
  • Server not accepting HTTPS connections: Ensure that ports 443 and 80 are open on your firewall and that SSL is enabled in your server configuration.
  • Mismatched certificate and private key: Ensure that the certificate and key files match. You can check this by comparing their modulus:
openssl x509 -noout -modulus -in server.crt | openssl md5 openssl rsa -noout -modulus -in server.key | openssl md5

For more detailed error logs, check the server logs:

sudo cat /var/log/apache2/error.log
sudo cat /var/log/nginx/error.log

Conclusion

Installing TLS on your Linux server is essential for securing communication with your users. Whether you’re using a self-signed certificate for testing or a trusted certificate from a CA, TLS provides encryption that protects sensitive data. By setting up automatic renewal, you ensure continuous security without manual intervention. Regularly test your SSL/TLS configuration to maintain a secure environment for your visitors.

Tags:
Leave A Comment