This has been an issue for me for quite some time. I have been trying to get SSL working and get valid certificates so that I could secure a few things and offer better security. Additionally, these days, having secure http is an added benefit. Most web-based server functions prefer the use of https over http for the extra security as well.
Here is how I got SSL and the proper encryption installed on Arch Linux with Apache.
First, Install what you need (assuming that you already have LAMP stack).
yaourt -S certbot certbot-apache acme-tiny letsencrypt-cli openssl
Next, you need to obtain the certificates. Also, I port forwarded 80 and 443 through the router to the server. This would be a good time to make sure that port forward is good or else this won't work properly.
certbot certonly --email email@example.com --webroot -w /srv/http/site1/ -d www.inject.run,inject.run
If you have received the congratulations message, then you should have certificates in the designated folder. (Mine were located in /etc/letsencrypt/live/inject.run/fullchain.pem.)
Now we have to activate/use the certificates through Apache.
Edit /etc/httpd/conf/httpd.conf and uncomment the following (I use nano and ctrl+w to search):
LoadModule ssl_module modules/mod_ssl.so LoadModule socache_shmcb_module modules/mod_socache_shmcb.so Include conf/extra/httpd-ssl.conf
and, while you're in httpd.conf, search for Listen 80 and add Listen 443 right below that line.
Now, this might seem like a duplication of effort, but it was the only way I got this to work:
In /etc/httpd/conf/extra/httpd-ssl.conf, find the Virtual Host Context section, and add your VirtualHost server information as follows:
DocumentRoot "/srv/http/inject.run" ServerName inject.run:443 ServerAdmin YOUR.EMAIL@ADDRESS.COM ErrorLog "/var/log/httpd/error_log" TransferLog "/var/log/httpd/access_log" SSLEngine on SSLCertificateFile "/etc/letsencrypt/live/inject.run/fullchain.pem" SSLCertificateKeyFile "/etc/letsencrypt/live/inject.run/privkey.pem" #SSLCertificateChainFile "/etc/letsencrypt/live/inject.run/chain.pem" #SSLCACertificatePath "/etc/httpd/conf/ssl.crt" #SSLCACertificateFile "/etc/httpd/conf/ssl.crt/ca-bundle.crt"
Note, the only two files you have to reference from your certificates are fullchain and privkey.
And, the last thing before you restart all of your services is to add a separate VirtualServer in your httpd-vhosts.conf file. Edit /etc/httpd/conf/extra/httpd-vhost.conf and add a second VirtualHost for the same website but with :443 instead of :80. Additionally, you are going to need to add your certificate information as well. Look below as an example:
ServerName www.inject.run OTHER OPTIONS FOR VHOST HERE IF NEEDED SSLEngine on SSLCertificateFile "/etc/letsencrypt/live/inject.run/fullchain.pem" SSLCertificateKeyFile "/etc/letsencrypt/live/inject.run/privkey.pem"
Notice I added the SSL stuff in the second VirtualHost entry.
Now, if you chose, you can remove everything from the non-encrypted VirtualHost and add the following line below the ServerName to redirect all traffic to secure connections.
Redirect / https://www.inject.run/
Hopefully, this helps get your SSL encryption working.