Install SSL certificate on Apache on a Windows Server

tech53
tech53 used Ask the Experts™
on
Hi All,

I have a Moodle on-prem installation using Apache 2.4 on a Windows 2016 server. The systems works well however i want to secure it with an SSL now as external people will be accessing the site.

I used an online CSR generator and purchased a cert from GoDaddy.  I followed instructions from here https://www.digicert.com/csr-ssl-installation/apache-openssl.htm but it doesn't work.

I've seen so many articles but they mostly refer to linux servers.

Anyone care to assist?

Thanks
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
David FavorFractional CTO
Distinguished Expert 2018

Commented:
Here's the template I use for sites, to force all HTTP -> HTTPS.

<VirtualHost *:80>
   ServerName  www.WEBSITE
   ServerAdmin support@WEBSITE
   RewriteEngine on
   RewriteCond %{HTTP_HOST} ^www\.(.+) [NC]
   RewriteRule ^(.*)$ https://%1%{REQUEST_URI} [NC,L,R=302]
   Include logging.conf
</VirtualHost>

<VirtualHost *:80>
   ServerName  WEBSITE
   ServerAdmin support@WEBSITE
   RewriteEngine on
   RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [NC,L,R=302]
   Include logging.conf
</VirtualHost>

<IfModule mod_ssl.c>

   <VirtualHost *:443>

      ServerName  www.WEBSITE
      ServerAdmin support@WEBSITE

      RewriteEngine on
      RewriteCond %{HTTP_HOST} ^www\.(.+) [NC]
      RewriteRule ^(.*)$ https://%1%{REQUEST_URI} [L,R=302]

      Include logging.conf

      SSLEngine on
      SSLUseStapling on

      SSLCertificateFile    /etc/letsencrypt/live/WEBSITE/fullchain.pem
      SSLCertificateKeyFile /etc/letsencrypt/live/WEBSITE/privkey.pem

      # Enable HTTP Strict Transport Security with a 2 year duration
      Header always set Strict-Transport-Security "max-age=63072000; preload"

   </VirtualHost>

   <VirtualHost *:443>

      ServerName  WEBSITE
      ServerAdmin support@WEBSITE

      DocumentRoot /sites/OWNER/WEBSITE/TYPE

      <Directory /sites/OWNER/WEBSITE/TYPE>
          Options +Indexes +FollowSymLinks
          AllowOverride All 
          Require all granted
      </Directory>

      Include logging.conf

      SSLEngine on
      SSLUseStapling on

      SSLCertificateFile    /etc/letsencrypt/live/WEBSITE/fullchain.pem
      SSLCertificateKeyFile /etc/letsencrypt/live/WEBSITE/privkey.pem

      # Enable HTTP Strict Transport Security with a 2 year duration
      Header always set Strict-Transport-Security "max-age=63072000; preload"

   </VirtualHost>

</IfModule>

Open in new window


Be sure to run your site through https://www.ssllabs.com/ssltest/ to ensure you have...

1) An overall A+ score for your setup.

2) OSCP Stapling is working/correct.

3) HSTS is working/correct.

4) Also ensure Brotli compression is working/correct.

5) Also ensure HTTP/2 is working/correct.
David FavorFractional CTO
Distinguished Expert 2018

Commented:
Aside: If you'd like free + setup once, then forget forever certs, use https://LetsEncrypt.org along with a nightly job to renew all your certs, then reload Apache when any cert renews, so on Linux this runs using the following CRON entry...

0 1 * * * (echo '#####' && date && certbot-auto renew --non-interactive --post-hook "service apache2 reload; service dovecot reload") >> /var/log/ssl-renewals.log 2>&1

Open in new window


Be sure to add in any other services to --post-hook which require reloading to pull in any renewed certs.
Commented:
I simply copied the certs into the certificates folder.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial