{"id":14226,"date":"2025-12-30T11:09:25","date_gmt":"2025-12-30T05:39:25","guid":{"rendered":"https:\/\/www.youstable.com\/blog\/?p=14226"},"modified":"2025-12-30T11:09:27","modified_gmt":"2025-12-30T05:39:27","slug":"create-tls-on-linux-server","status":"publish","type":"post","link":"https:\/\/www.youstable.com\/blog\/create-tls-on-linux-server","title":{"rendered":"How to Create TLS on Linux Server with OpenSSL"},"content":{"rendered":"\n<p><strong>To create TLS on a Linux server<\/strong>, install a trusted certificate (Let\u2019s Encrypt or commercial CA) or generate a self-signed cert with OpenSSL, then configure your web server (Nginx\/Apache) to use the certificate and enforce TLS 1.2\/1.3.<\/p>\n\n\n\n<p>Finally, test with SSL Labs, enable auto-renewal, and add security headers like HSTS.<\/p>\n\n\n\n<p>Securing your website with HTTPS is essential for trust, SEO, and compliance. This guide explains how to create TLS on Linux server environments using Let\u2019s Encrypt and OpenSSL, configure strong ciphers on Nginx\/Apache, enable TLS 1.3, and set up automated renewals step by step, beginner friendly, and production-ready.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" class=\"wp-block-heading\" id=\"what-is-tls-and-why-it-matters\"><strong>What is TLS and Why it Matters<\/strong>?<\/h2>\n\n\n\n<div class=\"wp-block-media-text has-media-on-the-right is-stacked-on-mobile\"><div class=\"wp-block-media-text__content\">\n<p>TLS (Transport Layer Security) encrypts data between clients and servers. It\u2019s the modern, secure successor to SSL and is required for the HTTPS padlock. Benefits include confidentiality, integrity, authentication (via certificates), better user trust, and improved search rankings. <\/p>\n<\/div><figure class=\"wp-block-media-text__media\"><img loading=\"lazy\" decoding=\"async\" width=\"1168\" height=\"784\" src=\"https:\/\/www.youstable.com\/blog\/wp-content\/uploads\/2025\/12\/What-Is-TLS-and-Why-It-Matters.png\" alt=\"What Is TLS and Why It Matters\" class=\"wp-image-14640 size-full\" srcset=\"https:\/\/www.youstable.com\/blog\/wp-content\/uploads\/2025\/12\/What-Is-TLS-and-Why-It-Matters.png 1168w, https:\/\/www.youstable.com\/blog\/wp-content\/uploads\/2025\/12\/What-Is-TLS-and-Why-It-Matters-150x101.png 150w\" sizes=\"auto, (max-width: 1168px) 100vw, 1168px\" \/><\/figure><\/div>\n\n\n\n<p>Always target TLS 1.2 and TLS 1.3\u2014disable legacy protocols like SSLv3, TLS 1.0, and TLS 1.1.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" class=\"wp-block-heading\" id=\"prerequisites-and-choosing-the-right-certificate\"><strong>Prerequisites and Choosing the Right Certificate<\/strong><\/h2>\n\n\n\n<h3 class=\"wp-block-heading\" class=\"wp-block-heading\" id=\"prerequisites\"><strong>Prerequisites<\/strong><\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>A Linux server (Ubuntu\/Debian, RHEL\/CentOS\/AlmaLinux, etc.) with sudo\/root access<\/li>\n\n\n\n<li>A registered domain pointing to your server\u2019s public IP<\/li>\n\n\n\n<li>Firewall allowing ports 80 (HTTP) and 443 (HTTPS)<\/li>\n\n\n\n<li><a href=\"https:\/\/www.youstable.com\/blog\/install-apache-web-server-in-linux\/\">Installed web server<\/a> (Nginx or Apache) or proxy\/stack (HAProxy, Node.js behind Nginx, etc.)<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\" class=\"wp-block-heading\" id=\"certificate-options-lets-encrypt-vs-commercial-vs-self-signed\"><strong>Certificate Options: Let\u2019s Encrypt vs. Commercial vs. Self\u2011Signed<\/strong><\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Let\u2019s Encrypt (DV): <\/strong>Free, automated, and trusted by all browsers. Ideal for most websites and APIs.<\/li>\n\n\n\n<li><strong>Commercial CA (DV\/OV\/EV):<\/strong> Paid, may include warranties\/support, OV\/EV display validated organization info.<\/li>\n\n\n\n<li><strong>Self\u2011signed: <\/strong>Free but untrusted by browsers; use for internal testing, dev, or non-public endpoints.<\/li>\n<\/ul>\n\n\n\n<p>For public sites, Let\u2019s Encrypt is the fastest path to secure, automated HTTPS. For internal services, self\u2011signed or private CA may suffice.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" class=\"wp-block-heading\" id=\"method-1-free-https-with-lets-encrypt-certbot\"><strong>Method 1: Free HTTPS with Let\u2019s Encrypt (Certbot)<\/strong><\/h2>\n\n\n\n<p>Certbot automates certificate issuance and renewal. It can integrate with Nginx\/Apache or run standalone. Below are commands for common distributions.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" class=\"wp-block-heading\" id=\"install-certbot\"><strong>Install Certbot<\/strong><\/h3>\n\n\n\n<pre class=\"wp-block-code\"><code># Ubuntu \/ Debian (apt)\nsudo apt update\nsudo apt install -y certbot python3-certbot-nginx python3-certbot-apache\n\n# RHEL \/ CentOS \/ AlmaLinux \/ Rocky (dnf)\nsudo dnf install -y epel-release\nsudo dnf install -y certbot python3-certbot-nginx python3-certbot-apache\n\n# Amazon Linux 2\nsudo dnf install -y certbot python3-certbot-nginx python3-certbot-apache<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" class=\"wp-block-heading\" id=\"obtain-and-install-certificates-nginx\"><strong>Obtain and Install Certificates (Nginx)<\/strong><\/h3>\n\n\n\n<p>Ensure your server_name matches the domain and your site is reachable on port 80\/443. Then run:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo certbot --nginx -d example.com -d www.example.com\n# Follow prompts to choose redirect (select \u201credirect\u201d to force HTTPS)<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" class=\"wp-block-heading\" id=\"obtain-and-install-certificates-apache\"><strong>Obtain and Install Certificates (Apache)<\/strong><\/h3>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo certbot --apache -d example.com -d www.example.com\n# Choose the <a href=\"https:\/\/www.youstable.com\/blog\/redirect-http-to-https\/\">HTTPS redirect<\/a> option when prompted<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" class=\"wp-block-heading\" id=\"standalone-webroot-methods\"><strong>Standalone \/ Webroot Methods<\/strong><\/h3>\n\n\n\n<p>Use these if Certbot should not modify your server configuration (e.g., custom stacks, containers).<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code># Webroot (your app still serves HTTP)\nsudo certbot certonly --webroot -w \/var\/www\/html \\\n  -d example.com -d www.example.com\n\n# Standalone (Certbot runs a temporary HTTP server; stop Nginx\/Apache first)\nsudo systemctl stop nginx || sudo systemctl stop apache2 || true\nsudo certbot certonly --standalone -d example.com\nsudo systemctl start nginx || sudo systemctl start apache2 || true<\/code><\/pre>\n\n\n\n<p>Certificates are stored under \/etc\/letsencrypt\/live\/DOMAIN\/ as fullchain.pem (cert + chain) and privkey.pem (private key).<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" class=\"wp-block-heading\" id=\"auto-renewal\"><strong>Auto-Renewal<\/strong><\/h3>\n\n\n\n<pre class=\"wp-block-code\"><code># Test renewal (dry run)\nsudo certbot renew --dry-run\n\n# Systemd timers handle renewal on most distros; or use cron:\n# 0 3 * * * \/usr\/bin\/certbot renew --quiet --post-hook \"systemctl reload nginx\"<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\" class=\"wp-block-heading\" id=\"method-2-create-a-self-signed-tls-certificate-with-openssl\"><strong>Method 2: Create a Self\u2011Signed TLS Certificate with OpenSSL<\/strong><\/h2>\n\n\n\n<p>Use self\u2011signed certificates for internal systems, lab environments, or testing\u2014browsers will warn users on public sites.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" class=\"wp-block-heading\" id=\"simple-self-signed-certificate\"><strong>Simple Self\u2011Signed Certificate<\/strong><\/h3>\n\n\n\n<pre class=\"wp-block-code\"><code># 1. Create a private key (2048-bit RSA or consider ECDSA)\nopenssl genrsa -out \/etc\/ssl\/private\/example.key 2048\n\n# 2. Create a self-signed certificate (valid 365 days)\nopenssl req -new -x509 -key \/etc\/ssl\/private\/example.key \\\n  -out \/etc\/ssl\/certs\/example.crt -days 365 -subj \"\/CN=example.com\"<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" class=\"wp-block-heading\" id=\"san-subject-alternative-name-self-signed-certificate\"><strong>SAN (Subject Alternative Name) Self\u2011Signed Certificate<\/strong><\/h3>\n\n\n\n<pre class=\"wp-block-code\"><code># Create an OpenSSL config with SANs\ncat &gt; \/etc\/ssl\/openssl-san.cnf &lt;&lt;'EOF'\n&#91; req ]\ndefault_bits       = 2048\nprompt             = no\ndefault_md         = sha256\nreq_extensions     = req_ext\ndistinguished_name = dn\n\n&#91; dn ]\nCN = example.com\n\n&#91; req_ext ]\nsubjectAltName = @alt_names\n\n&#91; alt_names ]\nDNS.1 = example.com\nDNS.2 = www.example.com\nEOF\n\n# Generate key and CSR, then self-sign with SAN\nopenssl genrsa -out \/etc\/ssl\/private\/example.key 2048\nopenssl req -new -key \/etc\/ssl\/private\/example.key \\\n  -out \/etc\/ssl\/csr\/example.csr -config \/etc\/ssl\/openssl-san.cnf\nopenssl x509 -req -in \/etc\/ssl\/csr\/example.csr -signkey \/etc\/ssl\/private\/example.key \\\n  -out \/etc\/ssl\/certs\/example.crt -days 365 -extensions req_ext -extfile \/etc\/ssl\/openssl-san.cnf<\/code><\/pre>\n\n\n\n<p>Lock down permissions: private keys should be readable only by root (chmod 600) and stored in \/etc\/ssl\/private.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" class=\"wp-block-heading\" id=\"configure-popular-servers-for-strong-tls\"><strong>Configure Popular Servers for Strong TLS<\/strong><\/h2>\n\n\n\n<h3 class=\"wp-block-heading\" class=\"wp-block-heading\" id=\"nginx-enable-tls-1-3-harden-ciphers-hsts-ocsp\"><strong>Nginx: Enable TLS 1.3, Harden Ciphers, HSTS, OCSP<\/strong><\/h3>\n\n\n\n<pre class=\"wp-block-code\"><code># \/etc\/nginx\/sites-available\/example.conf\nserver {\n  listen 80;\n  server_name example.com www.example.com;\n  return 301 https:\/\/$host$request_uri;\n}\n\nserver {\n  listen 443 ssl http2;\n  server_name example.com www.example.com;\n\n  ssl_certificate     \/etc\/letsencrypt\/live\/example.com\/fullchain.pem;\n  ssl_certificate_key \/etc\/letsencrypt\/live\/example.com\/privkey.pem;\n\n  ssl_protocols TLSv1.2 TLSv1.3;\n  ssl_prefer_server_ciphers on;\n  ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:\n               ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:\n               ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256';\n\n  # OCSP Stapling (requires resolver and valid chain)\n  resolver 1.1.1.1 8.8.8.8;\n  ssl_stapling on;\n  ssl_stapling_verify on;\n\n  # Security headers (HSTS enforces HTTPS in browsers)\n  add_header Strict-Transport-Security \"max-age=31536000; includeSubDomains; preload\" always;\n  add_header X-Content-Type-Options nosniff;\n  add_header X-Frame-Options SAMEORIGIN;\n\n  root \/var\/www\/html;\n  index index.html index.php;\n  # ... your location blocks ...\n}\n\nsudo nginx -t &amp;&amp; sudo systemctl reload nginx<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" class=\"wp-block-heading\" id=\"apache-enable-tls-1-3-strong-suites-hsts\"><strong>Apache: Enable TLS 1.3, Strong Suites, HSTS<\/strong><\/h3>\n\n\n\n<pre class=\"wp-block-code\"><code># \/etc\/apache2\/sites-available\/example-ssl.conf (Debian\/Ubuntu)\n# Ensure modules: a2enmod ssl headers http2\n&lt;IfModule mod_ssl.c&gt;\n  &lt;VirtualHost *:443&gt;\n    ServerName example.com\n    ServerAlias www.example.com\n    DocumentRoot \/var\/www\/html\n\n    SSLEngine on\n    SSLCertificateFile \/etc\/letsencrypt\/live\/example.com\/fullchain.pem\n    SSLCertificateKeyFile \/etc\/letsencrypt\/live\/example.com\/privkey.pem\n\n    SSLProtocol -all +TLSv1.2 +TLSv1.3\n    SSLCipherSuite TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256\n    SSLHonorCipherOrder off\n\n    # OCSP Stapling\n    SSLUseStapling on\n    SSLStaplingCache \"shmcb:\/var\/run\/ocsp(128000)\"\n\n    # HSTS and security headers\n    Header always set Strict-Transport-Security \"max-age=31536000; includeSubDomains; preload\"\n    Header set X-Content-Type-Options \"nosniff\"\n    Header set X-Frame-Options \"SAMEORIGIN\"\n  &lt;\/VirtualHost&gt;\n&lt;\/IfModule&gt;\n\n# Redirect HTTP to HTTPS\n&lt;VirtualHost *:80&gt;\n  ServerName example.com\n  ServerAlias www.example.com\n  RewriteEngine On\n  RewriteRule ^ https:\/\/%{HTTP_HOST}%{REQUEST_URI} &#91;L,R=301]\n&lt;\/VirtualHost&gt;\n\nsudo a2enmod ssl headers rewrite http2\nsudo a2ensite example-ssl.conf\nsudo apachectl configtest &amp;&amp; sudo systemctl reload apache2<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" class=\"wp-block-heading\" id=\"haproxy-tls-termination\"><strong>HAProxy: TLS Termination<\/strong><\/h3>\n\n\n\n<pre class=\"wp-block-code\"><code># Concatenate cert and key into a single PEM for HAProxy\ncat \/etc\/letsencrypt\/live\/example.com\/fullchain.pem \/etc\/letsencrypt\/live\/example.com\/privkey.pem \\\n  | sudo tee \/etc\/haproxy\/certs\/example.com.pem\n\n# \/etc\/haproxy\/haproxy.cfg\nglobal\n  tune.ssl.default-dh-param 2048\n\nfrontend https\n  bind :443 ssl crt \/etc\/haproxy\/certs\/ alpn h2,http\/1.1\n  http-response set-header Strict-Transport-Security \"max-age=31536000; includeSubDomains; preload\"\n  default_backend app\n\nbackend app\n  server app1 127.0.0.1:8080 check\n\nfrontend http\n  bind :80\n  http-request redirect scheme https code 301 unless { ssl_fc }\n\nsudo haproxy -c -f \/etc\/haproxy\/haproxy.cfg &amp;&amp; sudo systemctl reload haproxy<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\" class=\"wp-block-heading\" id=\"harden-and-verify-your-tls\"><strong>Harden and Verify Your TLS<\/strong><\/h2>\n\n\n\n<h3 class=\"wp-block-heading\" class=\"wp-block-heading\" id=\"generate-strong-diffie-hellman-parameters-if-needed\"><strong>Generate Strong Diffie\u2013Hellman Parameters (if needed)<\/strong><\/h3>\n\n\n\n<pre class=\"wp-block-code\"><code># For servers that still use custom DH params (e.g., older configs)\nsudo openssl dhparam -out \/etc\/ssl\/certs\/dhparam.pem 2048\n\n# Reference in Nginx (example)\n# ssl_dhparam \/etc\/ssl\/certs\/dhparam.pem;<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" class=\"wp-block-heading\" id=\"command-line-testing\"><strong>Command-Line Testing<\/strong><\/h3>\n\n\n\n<pre class=\"wp-block-code\"><code># Check certificate chain, protocol, and cipher\nopenssl s_client -connect example.com:443 -servername example.com -tls1_2 &lt; \/dev\/null | openssl x509 -noout -dates -issuer -subject\n\n# Verify HTTP to HTTPS redirect\ncurl -I http:\/\/example.com\ncurl -I https:\/\/example.com\n\n# Check negotiated HTTP\/2 and TLS 1.3 support\ncurl -I --http2 https:\/\/example.com\nopenssl s_client -connect example.com:443 -tls1_3 &lt; \/dev\/null | grep -i \"Protocol\\|Cipher\"<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\" class=\"wp-block-heading\" id=\"external-scans-and-recommended-baselines\"><strong>External Scans and Recommended Baselines<\/strong><\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Run an external scan with SSL Labs Server Test to verify grade, ciphers, and chain.<\/li>\n\n\n\n<li>Use the Mozilla SSL Configuration guidelines to pick modern or intermediate profiles for Nginx\/Apache.<\/li>\n\n\n\n<li>Monitor expiry to prevent outages; aim for 30-day renewal buffer.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\" class=\"wp-block-heading\" id=\"troubleshooting-common-tls-errors\"><strong>Troubleshooting Common TLS Errors<\/strong><\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Port 80\/443 blocked:<\/strong> Open firewall rules (ufw, firewalld, or security groups).<\/li>\n\n\n\n<li><strong>Certbot \u201cchallenge failed\u201d:<\/strong> Ensure DNS A\/AAAA records point to the correct server and no CDN\/firewall blocks HTTP-01.<\/li>\n\n\n\n<li><strong>\u201cIncomplete chain\u201d or \u201cUnknown issuer\u201d:<\/strong> Use fullchain.pem, not just cert.pem.<\/li>\n\n\n\n<li><strong>\u201cKey mismatch\u201d:<\/strong> Confirm certificate and private key pair match (check modulus with OpenSSL).<\/li>\n\n\n\n<li><strong>\u201cOld protocol\/ciphers\u201d:<\/strong> Update configs to allow only TLS 1.2\/1.3 and modern cipher suites.<\/li>\n\n\n\n<li><strong>OCSP stapling errors:<\/strong> Ensure your server can reach CA OCSP endpoints and has a resolver configured.<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code># Check modulus match (should be identical)\nopenssl x509 -noout -modulus -in \/path\/to\/cert.pem | openssl md5\nopenssl rsa  -noout -modulus -in \/path\/to\/privkey.pem | openssl md5<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\" class=\"wp-block-heading\" id=\"operational-best-practices\"><strong>Operational Best Practices<\/strong><\/h2>\n\n\n\n<h3 class=\"wp-block-heading\" class=\"wp-block-heading\" id=\"automate-everything\"><strong>Automate Everything<\/strong><\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Let\u2019s Encrypt renewals with systemd timers or cron, including post-hooks to reload services.<\/li>\n\n\n\n<li>Configuration management (Ansible, Terraform) to standardize TLS across fleets.<\/li>\n\n\n\n<li>Alerting for certificate expiry via monitoring (Prometheus exporters, Nagios plugins, or SaaS monitors).<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\" class=\"wp-block-heading\" id=\"wildcard-certificates-and-dns-challenges\"><strong>Wildcard Certificates and DNS Challenges<\/strong><\/h2>\n\n\n\n<p>For subdomains, use a wildcard (*.example.com). With Let\u2019s Encrypt, this requires DNS-01 validation via your DNS provider\u2019s API.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code># Example (Cloudflare plugin shown as a pattern; replace for your provider)\nsudo apt install python3-certbot-dns-cloudflare\nsudo certbot -a dns-cloudflare --dns-cloudflare-credentials ~\/.secrets\/cf.ini \\\n  -d example.com -d \"*.example.com\"<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\" class=\"wp-block-heading\" id=\"key-management-and-security\"><strong>Key Management and Security<\/strong><\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Restrict key access (chmod 600, root-owned).<\/li>\n\n\n\n<li>Prefer ECDSA certificates on modern stacks for speed; keep RSA fallback if compatibility is required.<\/li>\n\n\n\n<li>Rotate keys and revoke compromised certificates immediately.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\" class=\"wp-block-heading\" id=\"how-youstable-helps\"><strong>How YouStable Helps<\/strong><\/h2>\n\n\n\n<p>At YouStable, our hosting stack ships with free Let\u2019s Encrypt SSL\/TLS, HTTP\/2, and TLS 1.3 enabled by default. We automate renewals, configure secure ciphers, and monitor uptime so your site stays fast, secure, and compliant without manual babysitting. Need advanced setups (wildcards, <a href=\"https:\/\/www.youstable.com\/blog\/install-load-balancer-on-linux\/\">load balancers<\/a>, HA)? Our engineers handle it for you.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" class=\"wp-block-heading\" id=\"faqs\"><strong>FAQ&#8217;s<\/strong><\/h2>\n\n\n<div id=\"rank-math-faq\" class=\"rank-math-block\">\n<div class=\"rank-math-list \">\n<div id=\"faq-question-1765951889987\" class=\"rank-math-list-item\">\n<h3 class=\"rank-math-question \" class=\"rank-math-question \" id=\"1-how-do-i-enable-tls-1-3-on-a-linux-server\">1. <strong>How do I enable TLS 1.3 on a Linux server?<\/strong><\/h3>\n<div class=\"rank-math-answer \">\n\n<p>Use a modern web server version that supports TLS 1.3 (Nginx 1.13.0+, Apache 2.4.36+ with OpenSSL 1.1.1+). In Nginx, set \u201cssl_protocols TLSv1.2 TLSv1.3;\u201d. In Apache, set \u201cSSLProtocol -all +TLSv1.2 +TLSv1.3\u201d. Reload the server and verify with \u201copenssl s_client -tls1_3\u201d.<\/p>\n\n<\/div>\n<\/div>\n<div id=\"faq-question-1765951975640\" class=\"rank-math-list-item\">\n<h3 class=\"rank-math-question \" class=\"rank-math-question \" id=\"2-is-tls-the-same-as-ssl-and-which-version-should-i-use\">2. <strong>Is TLS the same as SSL, and which version should I use?<\/strong><\/h3>\n<div class=\"rank-math-answer \">\n\n<p>SSL is the predecessor to TLS. Modern best practice is to disable SSL and older TLS versions. Only allow TLS 1.2 and TLS 1.3. They\u2019re more secure and widely supported by current browsers and APIs.<\/p>\n\n<\/div>\n<\/div>\n<div id=\"faq-question-1765951996035\" class=\"rank-math-list-item\">\n<h3 class=\"rank-math-question \" class=\"rank-math-question \" id=\"3-can-i-use-a-wildcard-certificate-with-lets-encrypt\">3. <strong>Can I use a wildcard certificate with Let\u2019s Encrypt?<\/strong><\/h3>\n<div class=\"rank-math-answer \">\n\n<p>Yes. Request \u201c*.example.com\u201d using the DNS-01 challenge with Certbot\u2019s DNS plugins for your provider. This secures all subdomains and simplifies multi-subdomain deployments.<\/p>\n\n<\/div>\n<\/div>\n<div id=\"faq-question-1765952015087\" class=\"rank-math-list-item\">\n<h3 class=\"rank-math-question \" class=\"rank-math-question \" id=\"4-how-do-i-redirect-all-http-traffic-to-https\">4. <strong>How do I redirect all HTTP traffic to HTTPS?<\/strong><\/h3>\n<div class=\"rank-math-answer \">\n\n<p>In Nginx, create a port 80 server block that returns a 301 to https:\/\/$host$request_uri. In Apache, use a port 80 VirtualHost with \u201cRewriteEngine On\u201d and a RewriteRule to https. Many Certbot installers can set this automatically during issuance.<\/p>\n\n<\/div>\n<\/div>\n<div id=\"faq-question-1765952031950\" class=\"rank-math-list-item\">\n<h3 class=\"rank-math-question \" class=\"rank-math-question \" id=\"5-which-ports-are-required-for-lets-encrypt-validation\">5. <strong>Which ports are required for Let\u2019s Encrypt validation?<\/strong><\/h3>\n<div class=\"rank-math-answer \">\n\n<p>For HTTP-01, port 80 must be publicly reachable. For TLS-ALPN-01, port 443 is used. For DNS-01 (wildcards), no inbound HTTP\/HTTPS is required, but you must create a TXT record via your DNS provider\u2019s API or panel.<\/p>\n\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>To create TLS on a Linux server, install a trusted certificate (Let\u2019s Encrypt or commercial CA) or generate a self-signed [&hellip;]<\/p>\n","protected":false},"author":21,"featured_media":16692,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"inline_featured_image":false,"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","ast-disable-related-posts":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"footnotes":""},"categories":[350],"tags":[],"class_list":["post-14226","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-knowledgebase"],"acf":[],"featured_image_src":"https:\/\/www.youstable.com\/blog\/wp-content\/uploads\/2025\/12\/How-to-Create-TLS-on-Linux-Server-with-OpenSSL.jpg","author_info":{"display_name":"Sanjeet Chauhan","author_link":"https:\/\/www.youstable.com\/blog\/author\/sanjeet"},"_links":{"self":[{"href":"https:\/\/www.youstable.com\/blog\/wp-json\/wp\/v2\/posts\/14226","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.youstable.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.youstable.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.youstable.com\/blog\/wp-json\/wp\/v2\/users\/21"}],"replies":[{"embeddable":true,"href":"https:\/\/www.youstable.com\/blog\/wp-json\/wp\/v2\/comments?post=14226"}],"version-history":[{"count":6,"href":"https:\/\/www.youstable.com\/blog\/wp-json\/wp\/v2\/posts\/14226\/revisions"}],"predecessor-version":[{"id":16694,"href":"https:\/\/www.youstable.com\/blog\/wp-json\/wp\/v2\/posts\/14226\/revisions\/16694"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.youstable.com\/blog\/wp-json\/wp\/v2\/media\/16692"}],"wp:attachment":[{"href":"https:\/\/www.youstable.com\/blog\/wp-json\/wp\/v2\/media?parent=14226"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.youstable.com\/blog\/wp-json\/wp\/v2\/categories?post=14226"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.youstable.com\/blog\/wp-json\/wp\/v2\/tags?post=14226"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}