Recommended Apache config

Is there a standard/recommended Apache config for using SSL.

My current one is based on various web sources, but things have probably moved on since I last looked in to it.


SSLCertificateFile      /etc/letsencrypt/live/[dir]/cert.pem
SSLCertificateKeyFile   /etc/letsencrypt/live/[dir]/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/[dir]/chain.pem
#SSL stapling
SSLStaplingCache shmcb:/tmp/stapling_cache(128000)
# Intermediate configuration, tweak to your needs
SSLProtocol             all -SSLv2 -SSLv3
SSLHonorCipherOrder     on
SSLCompression          off
SSLOptions +StrictRequire

Yes, there is.

[I was wrong - see _az’s reply below]
Thanks _az.
It seemed such an obvious question that there had to be an ‘official’ answer.
I tested the “mozilla” “modern” config with the ssllabs online test :
=> the mozilla config leaves out the chain file
=> the ssllabs test wants it (without it, got a B, with it, an A+)
Might be worth recommending the “mozilla config” it in the Letsencrypt documentation.

If you pass fullchain.pem to SSLCertificateFile in Apache 2.4.8 or newer, it will automatically deal with chaining the intermediate for you.

If you enter your Apache version into the Server Version field on the config generator, it will automatically adjust the configuration for you, to reflect the above.

Same thing with OpenSSL version and the ciphersuite selection.

1 Like

Thanks again _az

This gets A+

This is an excerpt from the recommended config. Do I need the SSLCACertificateFile?

 SSLCertificateFile                  /etc/letsencrypt/live/[dir]/fullchain.pem
 SSLCertificateKeyFile            /etc/letsencrypt/live/[dir]/privkey.pem

 # Uncomment the following directive when using client certificate authentication
 # SSLCACertificateFile          /path/to/ca_certs_for_client_authentication

No you don’t, it’s for client certificates which is used for mutual authentication (if you needed it, you’d know it).

Thanks again!

_az’s solution is:

Use the config from with:

  SSLCertificateFile          /etc/letsencrypt/live/[dir]/fullchain.pem
  SSLCertificateKeyFile       /etc/letsencrypt/live/[dir]/privkey.pem

And don’t worry about the SSLCACertificateFile directive

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.