To protect communication between clients and your website (server) you need to secure you HTTP connection, by encrypting transmitted data over network. The easy way is to use cryptographic security protocol TLS/SSL.
Let’s Encrypt certificate is free in comparison with Comodo, IdenTrust or Symantec and most popular and trusted of the similar, free authorities.
This article is a continuation of the previous, about configuring linux server, please read it if you haven’t yet.
We’ll configure now HTTPS on our host s1.dock.co.nz. Easiest way to automatically install certificate – using client with ACME protocol support. ACME – Automatic Certificate Management Environment, help us automatically request new certificate from CA (Certificate Authority, in our case – Let’s Encrypt), and configure web server to work with HTTPS immediately.
In our example we use Certbot by EFF.
On official Certbot website, you’ll find setup instructions for each software/system. We’ll deploy for Apache Web Server on Debian 9 (stretch).
Using provided instructions let’s install Certbot
sudo apt install python-certbot-apache
Certbot can obtain and install certificate automatically with command
sudo certbot --apache
But let’s only obtain it, and install manually by running command
sudo certbot --apache certonly
You’ll be asked for email address on which you want to issue your certificate.
Type email and press Enter:
user@s1:~$ sudo certbot --apache certonly Saving debug log to /var/log/letsencrypt/letsencrypt.log Enter email address (used for urgent renewal and security notices) (Enter 'c' to cancel):info@dock.co.nz
Next, read and accept Let’s Encrypt Terms of Service by typing letter “A”.
------------------------------------------------------------------------------- Please read the Terms of Service at https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must agree in order to register with the ACME server at https://acme-v01.api.letsencrypt.org/directory ------------------------------------------------------------------------------- (A)gree/(C)ancel: A
Now, Certbot will read Apache’s web server configuration files for available hosts and ask for which ones to issue certificates
Which names would you like to activate HTTPS for? ------------------------------------------------------------------------------- 1: s1.dock.co.nz ------------------------------------------------------------------------------- Select the appropriate numbers separated by commas and/or spaces, or leave input blank to select all options shown (Enter 'c' to cancel):
We have only one domain, so I press Enter to issue for all. If you have couple domains, type a number associated with required domain.
Obtaining a new certificate Performing the following challenges: tls-sni-01 challenge for s1.dock.co.nz Enabled Apache socache_shmcb module Enabled Apache ssl module Waiting for verification... Cleaning up challenges Generating key (2048 bits): /etc/letsencrypt/keys/0000_key-certbot.pem Creating CSR: /etc/letsencrypt/csr/0000_csr-certbot.pem IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at /etc/letsencrypt/live/s1.dock.co.nz/fullchain.pem. Your cert will expire on 2018-02-16. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew" - If you lose your account credentials, you can recover through e-mails sent to info@dock.co.nz. - Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal.
That’s all, certificated issued for our domain s1.dock.co.nz. Don’t forget to read information from output’s Important Notes.
All files located at /etc/letsencrypt/live/s1.dock.co.nz
root@s1:# cd /etc/letsencrypt/live/s1.dock.co.nz/ root@s1:/etc/letsencrypt/live/s1.dock.co.nz# ls cert.pem chain.pem fullchain.pem privkey.pem README
Issued certificates last for 90 days, so don’t forget to configure automatic renew by adding job to cron or systemd:
certbot renew
Full Certbot documentation you can find at official website.
Now create VirtualHost to work with HTTPS
From previous article about configuring webserver, we created configuration file for s1.dock.co.nz at sites-available directory:
root@s1:# cat /etc/apache2/sites-available/s1-dock.conf
<VirtualHost *:80>
ServerName s1.dock.co.nz
DocumentRoot "/home/user/dock"
<Directory /home/user/dock/>
Options Indexes FollowSymLinks
AllowOverride None
Require all granted
</Directory>
ErrorLog ${APACHE_LOG_DIR}/s1-dock-error.log
CustomLog ${APACHE_LOG_DIR}/s1-dock-access.log combined
</VirtualHost>
We change this configuration to
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName s1.dock.co.nz
ServerAdmin info@dock.co.nz
DocumentRoot /home/user/dock
LogLevel debug
ErrorLog /home/user/dock/s1_dock_error.log
CustomLog /home/user/dock/s1_dock_access.log combined
SSLEngine on
SSLProtocol all -SSLv2
SSLCertificateFile /etc/letsencrypt/live/s1.dock.co.nz/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/s1.dock.co.nz/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/s1.dock.co.nz/chain.pem
<Directory /home/user/dock>
Options Indexes FollowSymLinks
AllowOverride All
Require all granted
</Directory>
</VirtualHost>
</IfModule>
IfModule directive is ensures that section is processed only if module enabled (mod_ssl in our case).
VirtualHost is now listen on 443 port instead on 80.
And SSLEngine options are on with parameters and paths to Let’s Encrypt certificate files, created by Certbot.
To enable mod_ssl module on Apache Web Server, please run next command:
sudo a2enmod ssl
Then, restart web server to activate new configuration:
sudo systemctl restart apache2
You can check loaded modules with command apachectl -M
root@s1:/etc/apache2/mods-available# apachectl -M Loaded Modules: ... core_module (static) mpm_prefork_module (shared) php7_module (shared) ssl_module (shared) status_module (shared) ...
Open address in browser with https and check if it works
https://s1.dock.co.nz/
That’s it.
Thanks for reading, if you have any questions or need help, don’t hesitate to ask.
I always was concerned in this topic and
stock still am, thank you for posting.