Enable SSL on WSL2 Apache Windows 10

When first time I approached this particular situation of enabling SSL on a WSL2 (Windows Subsystem for Linux) installation inside my Windows 10, I thought it will be a in and out job. But to my surprise it took me almost an hour and more than three different articles found on Internet (which are pretty much outdated) to make it working. So that’s the moment I decided to write this one.

Before we begin I am assuming that you already have WSL2, Apache/Ngnix configured.

What we want?

http://localhost currently served from WSL2 instance, instead of Windows. We are going to enable SSL on this domain, which will become https://localhost

In theory SSL certificates has to be generated on the target server and served from it. So in our case, it should be generated on the WSL instance rather than Windows instance. But, this is the first miss conception of SSL on WSL.

oh no!

We’re actually going to generate certificates on Windows OS and we just link it to the WSL Apache/Ngnix configuration.

We’re going to use the popular tool mkcert to generate our certificates.

So on WSL2 as root type:

$ wget https://github.com/FiloSottile/mkcert/releases/download/v1.4.2/mkcert-v1.4.2-linux-amd64
$ mv mkcert-v1.4.2-linux-amd64 mkcert
$ chmod +x mkcert
$ cp mkcert /usr/local/bin/

Ok, now we have mkcert installed on WSL2. Lets do the same on Windows.

First install Chocolatey on Windows if you haven’t have it already. Chocolatey is a package manger for Windows and you can get it from here: https://chocolatey.org/install

Once you have Chocolatey, fire up the power-shell with administrative privileges and execute below commands:

~ choco install mkcert
~ mkcert -install
~ setx CAROOT “$(mkcert -CAROOT)”; If ($Env:WSLENV -notlike “*CAROOT*”) { setx WSLENV “CAROOT/up:$Env:WSLENV” }

With the last command, we will set the CAROOT environment variable on the WSL2 side to point to the Windows CAROOT, so our Windows browser can trust sites running in WSL2.

Back on WSL2, you can verify the constant by typing:

mkcert -CAROOT

You will see a result something like this:

/mnt/c/Users/Jithesh/AppData/Local/mkcert

Now, back on windows power-shell type:

mkcert localhost 127.0.0.1 ::1 0.0.0.0

So, now the certificates will be in the CAROOT directory.

Now all left to do is update your apache or ngnix configuration, since I am on apache I am adding my steps:

vim /etc/apache2/sites-available/default-ssl.conf

On the config file,

SSLCertificateFile      /mnt/c/Users/Jithesh/AppData/Local/mkcert/localhost+3.pem
SSLCertificateKeyFile   /mnt/c/Users/Jithesh/AppData/Local/mkcert/localhost+3-key.pem

Enable SSL if you’ve not:

a2enmod ssl
a2ensite default-ssl.conf

and, restart apache:

service apache2 reload
service apache2 restart

That’s it. Now you have a working SSL on your localhost with WSL2.

Happy coding!