How to enable TLS 1.3 in Apache service of Ubuntu & Debian Cloud Servers (with Cipher Suites included)

2020-10-19 By Mark 11966 Views linux apache tls security
75 reviews

Transportation Layer Security (TLS) is a cryptographic protocol and it provides the security for the delivery of data over the internet. TLS 1.3 is faster than TLS 1.2 because the handshake for TLS 1.3 is reduced to just one round-trip.

This can easily be enabled in a Linux-based server. This guide outlines the basic steps involved in the Ubuntu & Debian servers (provided Apache service is already installed in the server).


Requirements:

  1. Server running on Ubuntu/Debian.

  2. A valid domain name and properly configured A/AAAA/CNAME DNS records.

  3. A valid TLS certificate. Here using from Let’s encrypt.

  4. Apache version 2.4.36 or greater.

  5. OpenSSL version 1.1.1 or greater.


Before the beginning,


  1. Check the ubuntu version by using the below command.

    # lsb_release -ds
    

    apachetlscipher1

  2. By using the below command ensure that the server is up to date.

    # apt update && sudo apt upgrade
    

    apachetlscipher2

  3. Install the needed packages by using the below command.

    # apt install  zip unzip curl wget git socat
    

    apachetlscipher3


Step A. Install the acme.sh client and obtain a TLS certificate from Let's Encrypt.


acme.sh is used to install, renew and remove SSL certificates and it is written purely in Shell (Unix shell) language, compatible with bash, dash, and sh shells.

  1. Install acme.sh with the below commands.

    # git clone [https://github.com/acmesh-official/acme.sh](https://github.com/acmesh-official/acme.sh)
    
    # cd acme.sh
    
    # ./acme.sh --install –accountemail [email protected]
    
    # cd ~
    
    # source ~/.bashrc
    

    apachetlscipher4

    apachetlscipher5

    NOTE: Replace the mail account with your mail account name.

  2. Check the version of acme.sh.

    # acme.sh --version
    

    apachetlscipher6

  3. Obtain RSA and ECDSA certificates for the domain.

    # RSA
    acme.sh --issue --standalone -d testlayerstack.com.com --keylength 2048
    
    # ECC/ECDSA
    acme.sh --issue --standalone -d testlayerstack.com --keylength ec-256
    

    apachetlscipher7

    apachetlscipher8

  4. Create directories to store your certs and keys in then, install and copy certificates to /etc/letsencrypt.

    # mkdir -p /etc/letsencrypt/testlayerstack.com
    
    # mkdir -p /etc/letsencrypt/testlayerstack.com_ecc
    

    apachetlscipher9


    # acme.sh --install-cert -d testlayerstack.com --cert-file /etc/letsencrypt/testlayerstack.com/cert.pem --key-file /etc/letsencrypt/testlayerstack.com/private.key --fullchain-file /etc/letsencrypt/testlayerstack.com/fullchain.pem
    
    # acme.sh --install-cert -d testlayerstack.com --ecc --cert-file etc/letsencrypt/testlayerstack.com_ecc/cert.pem --key-file /etc/letsencrypt/testlayerstack.com_ecc/private.key --fullchain-file /etc/letsencrypt/testlayerstack.com_ecc/fullchain.pem
    

    apachetlscipher10

    apachetlscipher11

  5. After running the above commands, your certificates and keys will be in the below-mentioned locations:

    RSA: /etc/letsencrypt/testlayerstack.com
    
    ECC/ECDSA: /etc/letsencrypt/testlayerstack.com_ecc
    


Step B. Configure Apache for TLS 1.3


  1. Install the latest version of Apache.

    # apt install apache2
    

    apachetlscipher12

  2. Check the Apache version then, start and enable using the below commands.

    # apache2 -v
    
    # systemctl start apache2.service
    
    # systemctl enable apache2.service
    

    apachetlscipher13

  3. Now enable the SSL module on the server with the below command and restart the Apache to activate.

    # a2enmod ssl
    
    # systemctl restart apache2
    

    apachetlscipher14

    apachetlscipher15

  4. Run the below command and add the following basic configurations in that file.

    # vim /etc/apache2/sites-available/testlayerstack.com.conf
    

    apachetlscipher16


    <ifmodule mod_ssl.c="">
    
    <virtualhost *:443="">
    
    ServerName testlayerstack.com
    SSLEngine on
    SSLEngine on
    
    # RSA
    SSLCertificateFile "/etc/letsencrypt/testlayerstack.com/fullchain.pem"
    SSLCertificateKeyFile "/etc/letsencrypt/testlayerstack.com/private.key"
    
    # ECC
    SSLCertificateFile "/etc/letsencrypt/testlayerstack.com_ecc/fullchain.pem"
    SSLCertificateKeyFile "/etc/letsencrypt/testlayerstack.com_ecc/private.key"
    
    ssl_protocols TLSv1.2 TLSv1.3
    ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-  CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
    
    </virtualhost>
    </ifmodule>
    
  5. Then Save and Exit the file.

    NOTE:** Replace testlayerstack.com in commands with your valid domain name.

  6. Run the below command to link the file to the sites-enabled directory.

    # a2ensite testlayerstack.com.conf
    

    apachetlscipher17

  7. Now reload the Apache to activate the new configuration.

    # systemctl restart apache2
    

    apachetlscipher18

  8. Now you can verify TLS 1.3 by using any browser dev tools or SSL Labs service such as given below.

    https://www.ssllabs.com/ssltest/
    


Related Tutorials

What do you think about this article?

Rate this article
LayerStack Promotion
Need assistance?

Try this guide to receive free bundled services at signup on a new free account.

Sign Up

Your Feedback Is Important

We hope you’ll give the new products and updates a try. If you have an idea for improving our products or want to vote on other user ideas so they get prioritized, please submit your feedback on our Community platform. And if you have any questions, please feel free to ask in the Community or contact our Technical Support team.