Web development is not all about pretty and minimalist UI and an attractive theme. More often than not, it is about foreseeing all the possible use cases and features you may want on your website. Most common use case which most people often overlook is the SSL layer.
If you have a blog it is fine to just run with just http://yourdomain.com but if you want people to enter sensitive information like their contact details or sign up for a service, it is best to use https protocol. Before getting into what SSL does, let’s get a few terminologies out of the way:
- SSL: Secure Socket Layer, used interchangeably with
- TLS: Transport Layer Security
- CA: Certificate Authority
Things you will need in order to follow the steps in this tutorial:
- Privileged access to your VPS instance
- A registered domain name pointing to the public IP address of your VPS
Important Note: If you are intending on using WordPress for the website (or a portion of it) that is going to get SSL certificates, it is recommended to install WordPress first or not enforcing https before installing and initializing your WordPress instance. Later in this tutorial, when we come to the option of enforcing https, don’t enforce https until you have your WordPress site tested with it.
Mechanism and Advantages
Without getting too technical, the basic idea can be summarized as – having a secret key that can be used by both the server and the web browser of the end user, to encrypt data before sending it over the internet to the each other.
This ensures two of the most important properties of secure communication:
- Privacy: No one can snoop on your communication channel or understand what is going on. All they will see is gibberish which only the intended client and server can decode.
- Data Integrity: Any changes made to the data by noise in the channel or by some malicious entity can be easily detected.
Of course, to open such a communication channel you would have to be sure that the secret keys are exchanged among the trusted parties only – that is between your web server and the browser of your end user. This is where Let’s Encrypt comes into the picture.
Let’s Encrypt – Certificate Authority
Let’s Encrypt is a trusted third party that we will be using in our example to establish trusted communication. There are several other Certificate Authorities who perform the same service but the underlying idea of SSL communication is still the same.
The example below uses a bare-bone Ubuntu 16.04 installation with Apache 2.4.18. So let’s see step-by-step how to install SSL certificates.
1. Update package repository and install Apache using apt
Grab the Apache package by running:
$ sudo apt install apache2
Now start Apache by running the command:
$ systemctl start apache2
With this basic step up done we can now test our set up by going into the browser and typing the URL:
http://subdomain.domainname.com
Just visit your domain name and you should get something similar to this:
Different operating system packages Apache differently so the message may vary. Sometimes it is as simple as a bold heading containing just the words “It Works!”
2. Installing Certbot
Run the command:
$ sudo apt install software-properties-common
This will allow you to add certbot from repositories that are not under the official Ubuntu label.
Next we will add the following PPA:
$ sudo add-apt-repository ppa:certbot/certbot
Press ENTER to add Launchpad PPA for certbot
Once again run
$ sudo apt update
This will bring the system up to speed with the new PPA added in the previous command.
Finally, we can install the certbot which will greatly automate the process from here on:
$ sudo apt install python-certbot-apache
3. Running Certbot and installing certificates
Now we can run cerbot, which we will and as the script is running we will get a few prompts. It is advisable to go through the messages carefully.
$ sudo certbot --apache
Enter your email address at the first prompt to get notified about urgent renewal and/or security notices.
The next prompt will ask you to accept the terms and conditions imposed by Electronic Frontier Foundation. Accepting this is mandatory if you wish to use their Let’s Encrypt service.
This is followed by a prompt which subscribes you for regular emails from eff.org and you can say no to this one if you would like to do so.
If you are following this tutorial closely, chances are that you have not configured Apache very much, if you have no names added in your configuration then the following prompt will ask you to enter the website’s domain name currently running under Apache:
After entering your domain name, certbot will make some changes and add a few modules most notably the socache_shmcb module and the ssl_module. The reason we should be aware of these is that on few systems like FreeBSD you are required to manually open the httpd.conf file (the main configuration file for Apache) and add lines to bring about the changes.
Once this is done, you will be shown the following prompt asking you whether or not you want SSL to be enforced on your website (the redacted area is where your domain name will be displayed)
Selecting the first option is the safest. You can then go to the browser and test how the website responds if you try to access https://yourdomain.com/somepage instead of the regular HTTP version. Once you are satisfied that nothing’s broken you can then enforce it.
The last prompt is most important as it shows where your certificates are located in the directory tree and this can come in handy if you ever have to troubleshoot some problems in the future:
Note the locations of privkey.pem file and fullchain.pem file. Most importantly, never share the privkey.pem file with anyone.
4. Certificate Renewal
Adding a cron job to regularly attempt certificate renewal is recommended. It can try renewing as often as every day. This is also recommended as there can be certain security issues that may need you to renew your certificates unscheduled. Typically, the certificate lasts 90 days and the automatic renewal script will take care of this routine work if you do the following:
$ sudo crontab -e
Choose the editor of your choice (nano if you are unsure) and add the following lines
The last line is all you have to add.
* 1 * * * certbot renew --quite
This ensures that every day, at 1 AM, at some random minute, certbot will run and try to renew the certificates if their renewal is due. You can choose a schedule of your liking.
Lastly, you should test your SSL certificates by visiting https://www.sslshopper.com/ssl-checker.html or if you need a more detailed analysis of what is going under the hood you can try: https://www.ssllabs.com/ssltest/
Furthermore, if you are running something other than Ubuntu or Apache, then visit https://certbot.eff.org/ to know more.