Add HTTPS (SSL) to Your Drupal 7 Site on Linux/Apache

27 Kudos

1. Getting your SSL

Purchase a new SSL from a registrar, I use NameCheap, you can get a simple PositiveSSL from Comodo for $9.00/year.
After your purchase is complete, you will need to generate a key and csr from your server.

# sudo mkdir /etc/apache2/ssl
# sudo openssl req -nodes -newkey rsa:2048 -keyout websiteurl_com.key -out websiteurl_com.csr

The key file is used later, and the csr file is used to generate your SSL certificate. Finish the process and wait for your certificate to arrive in a zip file to your email address. Place all those files in your /etc/apache2/ssl directory.

2. Enabling SSL on Apache for Drupal

First we need to make sure SSL is enabled on Apache.

# sudo a2enmod ssl

Now we need to edit your vhost file for your Drupal site. Here is a very simple vhost file for a Drupal 7 site, yours may be different:

<VirtualHost *:80>

  ServerAdmin [email protected]

  DocumentRoot /var/www/domain

<VirtualHost *:443>
  ServerAdmin [email protected]

  DocumentRoot /var/www/domain

  SSLEngine on

  SSLCertificateFile /etc/apache2/ssl/domain_com.crt
  SSLCertificateKeyFile /etc/apache2/ssl/domain_com.key
  SSLCACertificateFile /etc/apache2/ssl/domain_bundle.crt


Here you are basically adding turning on SSL for all http requests going to port 443, the default SSL/TLS port. One thing that may not have been provided to you in your SSL zip file is a bundle file, it’s basically three crt files all concatenated together. Each SSL is different so you are going to have to figure this one out on your own.

# sudo service apache2 restart

Your site should now be working over https

3. EXTRAS: Redirecting not SSL traffic to SSL or http traffic to https

1. SecurePages is a great way to help manage your SSL redirects within Drupal. To enable secure pages, download the latest stable version of the module and place it in your modules folder. Add $conf[‘HTTPS’] = TRUE; to your settings.php file. Enable the module, go to the configuration screen and select which pages you want it to redirect to HTTPS.

2. Apache redirects is another option, very similar to securepages, but it’s don’t on the Apache level. You can redirect all traffic to https by adding this to your vhost file

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}


If your SSL isn’t working here are a couple common issues.

1. If you are using CloudFlare Free, you’ll have to disable CloudFlare as they only allow non-https traffic on the free plan

2. Your apache server needs to listen on port 443. This should be set up by default in the ports.conf, however if not add in Listen 443 to the configuration.

3. Your server is blocking port 443. If you have any sort of firewall or IP Tables setup, make sure port 443 is open.

4. Your chain or bundle files where generated incorrectly.

Also read...