Register

Apache SSL Configuration Guide

Detailed explanation of SSL configuration differences between Apache 2.2, 2.4, and 2.5 versions to help you correctly configure SSL certificates

Version Overview

Apache 2.2.x
Deprecated
Apache 2.2 series is an older version, still in use but no longer maintained. It is recommended to upgrade to Apache 2.4 or higher.
⚠️ 注意: Apache 2.2 stopped maintenance in 2017, has security risks, strongly recommend upgrading.
Apache 2.4.x
Current Mainstream
Apache 2.4 is the most widely used version, providing better performance, security, and configuration flexibility. Supports HTTP/2 and more modern SSL/TLS configuration.
✅ 推荐: This is the most stable and recommended version, supporting all modern SSL/TLS features.
Apache 2.5.x
Future Version
Apache 2.5 is a version under development that will include more new features and performance improvements. Currently in development stage, not recommended for production use.

SSL Module Loading

All Apache versions need to load SSL module to use HTTPS. Module loading methods differ slightly between versions:

Apache 2.2.x

LoadModule ssl_module modules/mod_ssl.so

Apache 2.4.x / 2.5.x

LoadModule ssl_module modules/mod_ssl.so LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
💡 提示: Apache 2.4+ requires additional mod_socache_shmcb module to support SSL session caching, which can significantly improve performance.

Certificate Configuration Differences

This is the most important configuration difference between different Apache versions:

Apache 2.2.x Configuration Method

<VirtualHost *:443> ServerName yourdomain.com DocumentRoot "/var/www/html" SSLEngine on SSLCertificateFile /path/to/your_domain.crt SSLCertificateKeyFile /path/to/your_domain.key SSLCertificateChainFile /path/to/intermediate_ca.crt </VirtualHost>

Apache 2.4.x Configuration Method (Recommended)

<VirtualHost *:443> ServerName yourdomain.com DocumentRoot "/var/www/html" SSLEngine on SSLCertificateFile /path/to/fullchain.crt SSLCertificateKeyFile /path/to/your_domain.key # # Deprecated, but still available</VirtualHost>
⚠️ Important Changes:
  • Apache 2.4.8 开始,SSLCertificateChainFile 指令已被弃用 - Starting from Apache 2.4.8, SSLCertificateChainFile directive has been deprecated
  • Now you should merge the certificate and intermediate certificate chain into one file (fullchain.crt)
  • Merge command: cat your_domain.crt intermediate_ca.crt > fullchain.crt
  • If you continue to use SSLCertificateChainFile, Apache will display warning messages

Apache 2.4.8+ Compatible Configuration (Backward Compatible)

<VirtualHost *:443> ServerName yourdomain.com DocumentRoot "/var/www/html" SSLEngine on SSLCertificateFile /path/to/your_domain.crt SSLCertificateKeyFile /path/to/your_domain.key SSLCertificateChainFile /path/to/intermediate_ca.crt # # Deprecated, but still available</VirtualHost>
📝 说明: Although SSLCertificateChainFile can still be used in 2.4.8+, it is recommended to migrate to the new configuration method, as future versions may completely remove this directive.

Protocols and Cipher Suites

Configuration Item Apache 2.2.x Apache 2.4.x Apache 2.5.x
SSLProtocol SSLProtocol all -SSLv2 -SSLv3 SSLProtocol all -SSLv2 -SSLv3 -TLSv1 SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
Recommended Protocol TLSv1.2 TLSv1.2 TLSv1.3 TLSv1.2 TLSv1.3
SSLCipherSuite SSLCipherSuite HIGH:!aNULL:!MD5 SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256 SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256
HTTP/2 Support ❌ Not Supported ✅ Supported (requires mod_http2) ✅ Supported
OCSP Stapling ❌ Not Supported ✅ Supported ✅ Supported

Apache 2.2.x Complete Configuration Example

<VirtualHost *:443> ServerName yourdomain.com DocumentRoot "/var/www/html" SSLEngine on SSLCertificateFile /path/to/your_domain.crt SSLCertificateKeyFile /path/to/your_domain.key SSLCertificateChainFile /path/to/intermediate_ca.crt SSLProtocol all -SSLv2 -SSLv3 SSLCipherSuite HIGH:!aNULL:!MD5 SSLHonorCipherOrder on </VirtualHost>

Apache 2.4.x Complete Configuration Example (Recommended)

<VirtualHost *:443> ServerName yourdomain.com DocumentRoot "/var/www/html" SSLEngine on SSLCertificateFile /path/to/fullchain.crt SSLCertificateKeyFile /path/to/your_domain.key # # Modern TLS Protocol Configuration SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384 SSLHonorCipherOrder on # # HTTP/2 Support (requires mod_http2) Protocols h2 http/1.1 # # OCSP Stapling (improves performance) SSLUseStapling on SSLStaplingCache "shmcb:logs/ssl_stapling(32768)" SSLStaplingResponderTimeout 5 SSLStaplingReturnResponderErrors off # # SSL Session Cache SSLSessionCache "shmcb:logs/ssl_scache(512000)" SSLSessionCacheTimeout 300 </VirtualHost>

Virtual Host Configuration

HTTP to HTTPS Redirect

Apache 2.2.x

<VirtualHost *:80> ServerName yourdomain.com Redirect permanent / https://yourdomain.com/ </VirtualHost>

Apache 2.4.x (Recommended Method)

<VirtualHost *:80> ServerName yourdomain.com Redirect permanent / https://yourdomain.com/ </VirtualHost> # # Or use mod_rewrite (more flexible)<VirtualHost *:80> ServerName yourdomain.com RewriteEngine on RewriteCond %{HTTPS} off RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L] </VirtualHost>
💡 提示: Apache 2.4 supports more flexible URL rewrite rules that can handle more complex redirect scenarios.

Best Practices

1. Certificate File Organization

  • Store certificate files in a secure directory, such as /etc/httpd/ssl/ or /etc/apache2/ssl/
  • Set correct file permissions: certificate files 644, private key files 600
  • Use full certificate chain (fullchain.crt) instead of separate files

2. Security Configuration

# Disable insecure protocolsSSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 # Use strong cipher suitesSSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384 # Enable HSTS (HTTP Strict Transport Security)Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" # Enable security headersHeader always set X-Frame-Options "SAMEORIGIN" Header always set X-Content-Type-Options "nosniff" Header always set X-XSS-Protection "1; mode=block"

3. Performance Optimization

  • Enable SSL session cache to reduce handshake overhead
  • Enable OCSP Stapling to improve certificate verification speed
  • Use HTTP/2 protocol to improve transmission efficiency
  • Configure appropriate SSL session timeout

Troubleshooting

1. Check Apache Version

# Linux httpd -v # # Orapache2 -v # # Check loaded moduleshttpd -M | grep ssl

2. Test Configuration Syntax

# # Test configuration file syntaxhttpd -t # # Orapache2ctl configtest # # If configuration is correct, will display "Syntax OK"

3. Common Errors and Solutions

Error: SSLCertificateChainFile: file '/path/to/chain.crt' does not exist or is empty
Solution: Check if the certificate chain file path is correct, or use fullchain.crt method
Error: SSL library error: error:140A90A1:SSL routines:SSL_CTX_new:unable to find ssl method
Solution: Ensure mod_ssl module is properly loaded, check if OpenSSL version is compatible
Error: AH00558: httpd: Could not reliably determine the server's fully qualified domain name
Solution: Add ServerName directive in configuration file

4. Verify SSL Configuration

# Use online tools to verifyhttps://www.ssllabs.com/ssltest/ https://myssl.com/ # Use command line toolsopenssl s_client -connect yourdomain.com:443 -servername yourdomain.com

Version Migration Guide

Upgrade from Apache 2.2 to 2.4

  1. Backup existing configurationcp -r /etc/httpd /etc/httpd.backup
  2. Upgrade Apache:使用包管理器升级到 2.4 版本
  3. Merge certificate chaincat your_domain.crt intermediate_ca.crt > fullchain.crt
  4. Update configuration:移除 SSLCertificateChainFile,使用合并后的 fullchain.crt
  5. Test configurationhttpd -t Check syntax
  6. Restart servicesystemctl restart httpd
  7. Verify functionality:访问网站确认 HTTPS 正常工作
📝 Notes:
  • Apache 2.4 configuration file syntax is basically compatible with 2.2, but it is recommended to use the new configuration method
  • Some third-party modules may need to be recompiled or updated
  • It is recommended to verify the configuration in a test environment before applying to production