===== Apache and Let's Encrypt with strong SSL ciphers =====

==== Let's Encrypt ====

> [[https://en.wikipedia.org/wiki/Let%27s_Encrypt|Let's Encrypt]] is a certificate authority that launched on April 12, 2016 that provides free X.509 certificates for Transport Layer Security (TLS) encryption via an automated process designed to eliminate the current complex process of manual creation, validation, signing, installation, and renewal of certificates for secure websites.

=== SSL certificate renewal ===

Let's Encrypt certificates expire every three months, and certbot automatically renews them. After renewing the certificates, you have to reload Apache. This can be automated with a script you put in ''/etc/letsencrypt/renewal-hooks/post/'':

<code bash /etc/letsencrypt/renewal-hooks/post/apache2.sh>
#!/bin/sh
systemctl reload apache2.service
</code>

Make it executable:

<code bash>
sudo chmod +x /etc/letsencrypt/renewal-hooks/post/apache2.sh
</code>

----
\\

==== Apache ====
\\

=== SSL cipher suite ===

Create a global configuration file:

<file apache /etc/apache2/conf-available/ssl-ciphers.conf>
SSLProtocol TLSv1.3
</file>

Enable it:

<code bash>
sudo a2enconf ssl-ciphers
</code>
\\

=== HTTP headers ===

Create a global configuration file:

<file apache /etc/apache2/conf-available/headers.conf>
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
Header always set X-Content-Type-Options "nosniff"
Header always set X-Frame-Options "DENY"
</file>

Enable it:

<code bash>
sudo a2enmod headers
sudo a2enconf headers
</code>

----
\\

==== Restart Apache ====

<code bash>
sudo systemctl restart apache2.service
</code>

----