How to easily add HTTPS to your Server for free!
4 August 2020
Long gone are the days where if you wanted to have https, you had to pay out at least more 10$ for a certificate.
Nowadays, if for any reason you are hosting a website or an API in your Virtual Private Server on AWS, DigitalOcean, and any other VPS Hosting; most likely you got a Linux distribution with a basic configuration and no SSL. Luckily, now we have Let's Encrypt Me! 🥳
In this publication, I will:
- succinctly explain what is SSL, TLS.
- Explain how you can create your digital cert and install it on the webserver that you are most likely using - Nginx or Apache.
To try to help the most people I can, this guide will only be focused on Ubuntu. If you need any help feel free to reach me here or through Twitter! Same reason for Lighttpd ❤️
A refresher on terminology:
- SSL - Secure Sockets Layer is a cryptographic protocol responsible for encrypting data (secure connections) between a client and a server.
- TLS - Transport Layer Security is also a cryptographic protocol responsible for encrypting data and securing connections between endpoints.
The main difference is that TLS is an updated version of SSL with stronger encryption algorithms like RSA, DSA, etc.
So whenever you are talking or see something saying anything regarding SSL, they are probably referring to TLS.
Let's Encrypt Me
Let's Encrypt me is a non-profitable certificate authority (CA) that easily provides SSL/TLS certificates for free and public use. It is run by the Internet Security Research Group (ISRG).
In layman terms, through ACME protocol, they can easily verify that you own your domain and automatically issue digital certs that you can use to enable https for your websites or applications.
Certbot is the software used to validate your domain and request the digital certificates to be installed on your server.
Add Certbot repository to Ubuntu.
sudo add-apt-repository ppa:certbot/certbot
Depending on the software that you are using, it might be preferable to check for working repositories, because default repositories provided by your Distro could be outdated.
Install Certbot Package
//If you have apache sudo apt install python-certbot-apache //If you have nginx sudo apt install python-certbot-nginx
//If you have apache sudo certbot --apache -d vascoabelha.com -d www.vascoabelha.com //If you have nginx sudo certbot --nginx -d vascoabelha.com -d www.vascoabelha.com
Instead of vascoabelha.com, here you need to make reference to the name that you defined in your web server configuration, either on:
- /etc/apache2/sites-available/[domain].conf (ServerName)
- /etc/nginx/sites-available/[domain] (server_name)
If it is the first time you are running on your host, you will need to answer some questions. (nothing to worry about)
In the end, you will be presented with:
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1: No redirect - Make no further changes to the webserver configuration. 2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for new sites, or if you're confident your site works on HTTPS. You can undo this change by editing your web server's configuration. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Select the appropriate number [1-2] then [enter] (press 'c' to cancel):
I tend to always select number 2. Certbot will then change your Nginx/Apache configuration to add the needed redirects (301) to force your connections to https.
By now, you will have your certs installed and running. If you refresh your website, you will see the shiny 🔒 followed up by https 🥳!!
👏Everything is set and running👏
Last but not least, these certificates are valid for 90 days! Yet you don't need to worry, Certbot runs twice a day and will make sure your certificate is valid and issues another one if needed (less than 30 days of validity).
If you would like to test if the certification refresh process is working fine, run:
sudo certbot renew --dry-run
If in step 3, you provided a real email, you will also be notified in case the renewal process fails!
See you around!