# How to Fix Weak SSL/TLS Configuration in Laravel > Your SSL/TLS certificate is expired, misconfigured, or using weak protocols. Learn how to fix SSL issues for your Laravel app. **Severity:** high | **Category:** Infrastructure Security --- ## The Issue Weak SSL/TLS configuration means your application may be using expired certificates, outdated protocols (TLS 1.0/1.1), or weak cipher suites that can be broken by attackers. This exposes all data transmitted between your users and your application to interception, including login credentials, personal data, and session tokens. Browsers will show security warnings that drive users away. ## Steps to Fix ### 1. Install or renew your SSL certificate Use Let's Encrypt for free, auto-renewing certificates. Install Certbot: sudo apt install certbot python3-certbot-nginx sudo certbot --nginx -d yourdomain.com -d www.yourdomain.com Certbot will automatically configure Nginx and set up auto-renewal. Verify renewal works: sudo certbot renew --dry-run ### 2. Disable outdated TLS protocols In Nginx, only allow TLS 1.2 and 1.3: ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384; ssl_prefer_server_ciphers off; In Apache: SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384 ### 3. Force HTTPS in Laravel Ensure Laravel generates HTTPS URLs and redirects HTTP traffic. In app/Providers/AppServiceProvider.php: public function boot(): void { if (config('app.env') === 'production') { \Illuminate\Support\Facades\URL::forceScheme('https'); } } Add the HSTS header in your security headers middleware: $response->headers->set('Strict-Transport-Security', 'max-age=31536000; includeSubDomains'); ### 4. Redirect all HTTP traffic to HTTPS In Nginx, add a server block that redirects HTTP: server { listen 80; server_name yourdomain.com www.yourdomain.com; return 301 https://$server_name$request_uri; } In Apache .htaccess: RewriteEngine On RewriteCond %{HTTPS} off RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301] ## Verification Test your SSL configuration using SSL Labs: https://www.ssllabs.com/ssltest/analyze.html?d=yourdomain.com Aim for an A or A+ grade. Also verify from the command line: openssl s_client -connect yourdomain.com:443 -tls1_1 This should fail (connection refused), confirming TLS 1.1 is disabled. ## Prevention Use auto-renewing certificates from Let's Encrypt with Certbot. Set up monitoring for certificate expiration at least 14 days before expiry. Use StackShield to continuously monitor your SSL certificate status, expiration date, and protocol configuration. --- ## Frequently Asked Questions ### Do I need a paid SSL certificate? No. Let's Encrypt provides free SSL certificates that are trusted by all major browsers. Paid certificates (EV/OV) show organization details in the certificate but provide no additional encryption benefit. For most Laravel applications, Let's Encrypt is the right choice. ### Will disabling TLS 1.0/1.1 break anything? TLS 1.0 and 1.1 were deprecated in 2020. All modern browsers support TLS 1.2+. The only clients affected would be Internet Explorer on Windows XP or very old Android devices (pre-5.0), which represent a negligible percentage of traffic. ### How do I handle SSL with a load balancer? When using a load balancer (AWS ALB, Cloudflare, etc.), SSL terminates at the load balancer. Set APP_URL to https:// in your .env and configure the TrustedProxy middleware to trust the load balancer IP. Laravel will then correctly detect HTTPS from the X-Forwarded-Proto header.