Having SSL certificates installed in your server( HTTPs) in your website means that website uses the Hypertext Transfer Protocol Secure (HTTPS) to provide a secure connection between your web and your user’s browser. This secure connection ensures that the data transmitted between your browser and web server are encrypted and protected from tampering your data. Each data transmitted from browser or from server to client both are encrypted .
Do I need to pay for SSL certificates?
Yes or No. It depends on your choice, You can install a free or choose to pay for an SSL certificate.
If your use is just to integrate with SSL certificates and allow https in your website, you can install free SSL certificates. But with paid service you get additional services like warranties, insurance facility regarding your data protection, technical assistance including higher level of trust and so on ,depending on the third party issuing the certificate.
In this blog we will be installing a free ssl certificate (let’s encrypt) on a Linux machine using apache server.
Before starting the installation, the following prerequisites must be met:
We need to set up certbot to install the SSL certificates in any virtual host installed in that server. So , to install the certbot run the following commands:
$ sudo apt update
$ sudo apt install certbot python3-certbot-apache //For apache
$ sudo apt install certbot python3-certbot-nginx //for nginx
The first command apt update is used to update your dependencies , we do this in any unix machine to ensure each packages installed are upto date with latest security updates and patches.
Likewise, the first part of second command i.e. apt install certbot is used to install certbot which is an open-source tool that automates the process of obtaining and renewing SSL/TLS certificates from let’s encrypt like wise the later command python3-certbot-apache or python3-certbot-nginx is used to automate the process to configure web server (apache or nginx) to successfully install ssl certificate and use them in the required domain
Check the status of firewall :
$ sudo ufw status
Status: inactive
Note: If you are in a any of cloud service provider i.e. AWS, Google Cloud or any cloud provider then they have different recommended ways to enable port as it may open up more security vulnerabilities, do find a way to enable port for cloud of your choice(if any). Enable port 443 or https besides 80 and other port required for you.
If your cloud provider does have no suggestions then you can directly enable a port from the machine itself following the code below:
Run this command to enable the firewall in Ubuntu .
To enable run this command:
$ sudo ufw enable
To enable Https run this command
$ sudo ufw allow https
Now after this step if you check the status you can see ,
$ sudo ufw status
Status: active
To Action From
-- ------ ----
.
.
.
443/tcp ALLOW Anywhere
Since we have already installed the web server(apache or nginx) plugin for certbot, it takes care of all the web server configurations you require to set up https.
For Apache
$ sudo certbot --apache
For Nginx
$ sudo certbot --nginx
You might receive multiple prompts to accept terms of service, email , the email here is used to send you notifications in case of certbot error or renewal notifications. Additionally ,it might prompt you to ask your name, location , department, and so on . Except for email and Terms of service, you can read the prompt and decide to provide the details or reject.
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: www.example.com
2: www.example2.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/www.example1.com/fullchain.pem
Key is saved at: /etc/letsencrypt/live/www.example1.com/privkey.pem
This certificate expires on 2024-08-15.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.
Deploying certificate
Successfully deployed certificate for www.example.com to /etc/apache2/sites-enabled/000-default-le-ssl.conf
Your existing certificate has been successfully renewed, and the new certificate has been installed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
* Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
* Donating to EFF: https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Since, this example has 2 hosts, we can add multiple hosts separated by comma(,), or a single one. You can also add all of the hosts separated by comma as 1,2…
Since we provided 1 in the prompt above , it enables SSL for the corresponding domain i.e. www.example.com . If you want to install for another domain at a later time , you can rerun the same command again, or separated by comma to setup all at once e.g. 1,2 , ... and so on
With the above output , we can see that, the certificate is now installed and loaded into Apache’s configuration. Now you can go to the browser and reload the clearing cache so you can see https:// added in front of your website.
Let’s Encrypt certificates are only valid for ninety days.
The Certbot package you installed handles certificate renewals automatically by including a renewal script in /etc/cron.d, which is managed by a systemctl service called certbot.timer. This timer runs twice a day and automatically renews any certificates that are within thirty days of expiration.
To check the status of this service and ensure it’s active, run the following command:
$ sudo systemctl status certbot.timer
certbot.timer - Run certbot twice daily
Loaded: loaded (/lib/systemd/system/certbot.timer; enabled; vendor preset: enabled)
Active: active (waiting) since Fri 2024-05-17 08:55:45 UTC; 57min ago
Trigger: Fri 2024-05-17 11:20:15 UTC; 1h 27min left
Triggers: ● certbot.service
May 17 08:55:45 ip-172-31-0-195 systemd[1]: Started Run certbot twice daily.
You can manually run the renewal process by command:
$ sudo certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/www.example.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Account registered.
Simulating renewal of an existing certificate for www.example.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations, all simulated renewals succeeded:
/etc/letsencrypt/live/www.example.com/fullchain.pem (success)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you don't encounter any errors or see the following output, it's all done. Also Certbot automatically renews the certificate. If in case there's an error when running a renewal command then certbot sends you an email of error report. So you can manually fix it.
In this tutorial we understood the importance of SSL certificates , and the process to install SSL certificates in Linux distributions with any of web server i.e. (Apache2 or Nginx). Following this article you can configure SSL certificates on your domain on Ubuntu Server.