In this tutorial, we will be showing you how to secure your website with HTTPS. It used to be that if you needed to serve your website through HTTPS you would need to purchase a valid SSL certificate for your website. Nowadays you can get a valid SSL certificate for your domain at no cost.
Let’s Encrypt is a certificate authority (CA) providing free SSL/TLS certificates. Check out their link here. This guide will help you to install Let’s Encrypt client on your Linux system and use it to issue an SSL/TLS certificate for your domain.
The methods here will work for most major Linux distros but in this tutorial, we will be using Ubuntu. We will also show you the steps and where applicable we will show you the differences when it comes to Apache vs Nginx.
Prerequisites to Secure Your Website
Before we get started you would need to have some things in place. With that in mind, we’ll assume you already have:
- A running Ubuntu system with a user that has sudo privileges and shell access.
- A registered fully qualified domain name (FQDN) configured and pointed to your server’s public IP address. For this tutorial, we use example.com and www.example.com in our examples.
- A web server set up and running with a VirtualHost configured for example.com and www.example.com on Port 80. The web server can be Apache or Nginx.
Step 1 — Install Certbot
Before you can start using Let’s Encrypt to obtain an SSL certificate you would need to install the latest Certbot software on your server. Because of vibrant active development, the Certbot packages provided by Ubuntu tend to be outdated. Seeing the Certbot developers maintain a Ubuntu software repository with up-to-date versions, you will want to use the versions from those repositories.
Add the repository using the following command:
$ sudo add-apt-repository ppa:certbot/certbot
Next, install Certbot’s Apache package with apt:
$ sudo apt install python-certbot-apache
Or, install Certbot’s Nginx package with apt depending on your preferred setup:
$ sudo apt install python-certbot-nginx
Step 2 — Obtaining an SSL Certificate
Certbot convenient plugins to obtain SSL certificates. Depending on your server you can either use the Apache plugin or Nginx plugin. These plugins will take care of reconfiguring Apache/Nginx and reloading the config whenever necessary. To use these plugins, use the following commands.
$ sudo certbot --apache -d example.com -d www.example.com
$ sudo certbot --nginx -d example.com -d www.example.com
For the correct domain to work remember that you need to have your VirtualHost for the domain already working.
The above commands run Certbot with the –apache or –nginx plugins, using -d to specify the domain names you’d like the certificate to be valid for.
When you run the commands for the first time, you will be prompted to enter an email address and agree to the terms of service. After you agree to the terms, Certbot will communicate with the Let’s Encrypt servers. it will then run a challenge to verify that you control the specified domain name that you are requesting a certificate for.
Next, Certbot will ask how you would like to configure your HTTPS settings using the following prompt:
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access. ------------------------------------------------------------------------------- 1: No redirect - Make no further changes to the webserver configuration. 2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for new sites, or if you're confident your site works on HTTPS. You can undo this change by editing your web server's configuration. ------------------------------------------------------------------------------- Select the appropriate number [1-2] then [enter] (press 'c' to cancel): Select your choice then hit ENTER.
Certbot will finish the setup with a message telling you the process was successful and where your certificates are stored. You must take note of the location of the certificates:
IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/your_domain/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/your_domain/privkey.pem Your cert will expire on 2018-07-23. To obtain a new or tweaked version of this certificate in the future, simply run certbot again with the "certonly" option. To non-interactively renew *all* of your certificates, run "certbot renew" - Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal. - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
You can now try and load your website using https:// and notice your browser’s security padlock icon. It should show that the site is properly set up and secured. You can also test your server using the SSL Labs Server Test here, it will get an A grade.
Step 3 Verify Certbot Auto-Renewal
Let’s Encrypt SSL/TLS certificates are only valid for ninety days. This is done to encourage users to automate their certificate renewal process and also to reduce the lifespan in case of certificate theft.
Certbot will run a script twice a day to automatically renew any certificate that’s within thirty days of expiration. You can also do a manual check and test the renewal process at any time using the following command:
$ sudo certbot renew --dry-run
You should not see any errors meaning all is well. During the course of time, if the automated renewal process ever fails, Let’s Encrypt will send out a message to the email you specified, warning you when your certificate is about to expire. In this case, you may need to update the certificate manually using:
$ sudo certbot renew
If you get any errors you may need to address them and run the command again.
We have just shown you how to secure your website for free using the Let’s Encrypt client certbot to install the SSL/TLS certificate. This guide also ensured you got a certificate issued for your domain for your preferred web server of either Apache or Nginx and even showed you how it gets renewed after 90 days.