To preface this tutorial, much of what I am discussing involves the creation and automatic renewal of certificates. The forum software does not need any additional configuration to be served over HTTPS and has a configuration setting to force it. In my experience I have found Certbot to make the process of obtaining and deploying certificates a much easier process for novice users. Regardless, the client or CA decided upon should not make a difference as long as you properly configure your web server to use SSL. It’s just that Certbot’s Apache plugin will apply the certificate for you.

Installing Certbot and the web server plugin

The following instructions are in line with the starter’s guide that also exists on this wiki. The EFF has a website with instructions on how to install Certbot on other distributions.

sudo apt update
sudo apt install certbot python3-certbot-apache

There is also a plugin for the NGINX web server:

sudo apt install python3-certbot-nginx

Obtaining a certificate

Now that you have installed a client for the Let’s Encrypt CA you can “obtain” a certificate. You’ll want to a) ensure that you can connect to your forum with the domain you’re using (forum.example.com) and b) use the Apache plugin so that you don’t have to disrupt access to your forum.

certbot certonly --apache -d forum.example.com

If you are using the NGINX web server, you should obviously use the NGINX plugin instead.

certbot certonly --nginx -d forum.example.com

Automated renewal

Most Certbot installations now come with automatic renewal preconfigured. You’ll probably want to check and see if this is the case by looking for the command below in your system’s crontab (typically /etc/crontab or /etc/cron.*/* or systemd timers: systemctl list-timers).

certbot renew

If it’s not there, you can set up automated renewal by following the steps here under “setting up automated renewal.” I would care to lay them out however I’d rather link to the docs than risk giving away instructions that may be outdated in two years.

Web server configuration

The majority of web servers (with the exception being Caddy, a web server that is built with ‘automatic’ HTTPS) requrire for their configurations to be modified in order to make use of the SSL certificate you generated.

Apache with SSL

The configuration below should either replace a file called forum.conf that was previously created for your forum or be pasted in a new file located in /etc/apache2/sites-available or your server’s equivalent thereof replacing <domain> with your domain name or IP address.

If your forum has been installed in another directory than the example provided in this tutorial, you will need to modify parts of this configuration that reference /var/www/forum.

<VirtualHost *:80>
	ServerName <domain>

	<IfModule mod_ssl.c>
		RewriteEngine On
		RewriteCond %{HTTPS} !=on
		RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L] 
	</IfModule>

	<IfModule mod_rewrite.c>
		RewriteEngine On
		RewriteCond %{REQUEST_FILENAME} !-f
		RewriteRule ^(.*)$ index.php/$1 [QSA,L]
	</IfModule>
</VirtualHost>

<VirtualHost *:443>
	ServerName <domain>
	DocumentRoot "/var/www/forum"

	<IfModule mod_php.c>
		php_admin_value open_basedir /var/www/eso
		php_admin_value upload_tmp_dir /var/www/eso/sessions
		php_admin_value session.save_path /var/www/eso/sessions
	</IfModule>

	<Directory "/var/www/eso">
		Options Indexes FollowSymLinks MultiViews
		AllowOverride All
		Require all granted
	</Directory>

	SSLEngine on
	SSLCertificateFile /etc/letsencrypt/live/<domain>/fullchain.pem
	SSLCertificateKeyFile /etc/letsencrypt/live/<domain>/privkey.pem
</VirtualHost>

Once you’ve created the file above, you may run the commands below in order to enable the configuration.

a2enmod rewrite ssl
a2ensite forum.conf
systemctl restart apache2

NGINX with SSL

Configuring an HTTPS server through the NGINX web server is more complicated than it is with Apache. Because of this, if you are using NGINX and intend to use SSL, you should read the official guide which goes into detail about how protocols and ciphers are treated by the web server.

Here is a barebones NGINX configuration which mirrors the one that is used in the install guide and includes SSL.

server {
		listen 80;
		listen [::]:80;
		server_name <domain>;
		return 301 https://$host$request_uri;
}

server {
		listen 443 ssl http2;
		listen [::]:443 ssl http2;
		server_name <domain>;

		ssl_certificate      /etc/letsencrypt/live/<domain>/fullchain.pem;
		ssl_certificate_key  /etc/letsencrypt/live/<domain>/privkey.pem;

		root /var/www/eso;
		index index.php;

		location / {
				try_files $uri $uri/ /index.php?$query_string;
		}

		location ~ \.php$ {
				include snippets/fastcgi-php.conf;
				fastcgi_pass unix:/run/php/php8.0-fpm.sock;
				fastcgi_param PHP_VALUE "open_basedir=/var/www/forum";
				fastcgi_param PHP_VALUE "upload_tmp_dir=/var/www/forum/sessions";
				fastcgi_param PHP_VALUE "session.save_path=/var/www/forum/sessions";
		}
}

Forcing HTTPS

The HTTPS protocol can be forced by setting $config["https"] to true, preventing insecure connections from being made to your forum. To make this change, add the following to config/config.php…

"https" => true, // Force HTTPS

You should now be able to visit your forum over the HTTPS protocol without issue. If your browser returns with an “insecure connection” or similar error when trying to browse your forum, particularly if you’ve never been able to access it over HTTPS, you should try restarting Apache. If you encounter that same error in about six months to one year after setting up your certificate, it’s probably expired and needs to be renewed. Trying to manually run certbot renew may give an error because your web server is running, so it needs to be stopped until the certificate has been renewed and then you can start it again.