Last updated December 5th, 2023 23:55
If you operate web hosting like me on your own server, the first thing that should concern you is its security. And I’m not just talking about server security but also about the security of the website running on that server. One crucial element in today’s context is an SSL certificate. By using an SSL certificate, you encrypt the data exchanged between your server and the user’s computer visiting your website. This guide will show you easy activation of SSL on Ubuntu using Certbot. Thanks to Certbot’s functionality, the installation and setup of the certificate will be significantly simplified. As an added bonus, Certbot will take care of automatically renewing the certificate. The certificate is typically issued for only 90 days.
Why is it important to encrypt data on your website using HTTPS and SSL?
Imagine that between your server and a user’s computer reading your website, there is something we can call a communication channel. In this channel, your server and the user’s browser on the other end exchange information. The user’s browser requests data and content, and the server processes these requests and sends back the data.
Both the user’s requests and data flow over the internet in this communication channel. Moreover, in this channel, these two machines communicate and exchange requests. However, if you don’t use HTTPS and an SSL certificate, the server sends data to the user in unencrypted text format. Similarly, the user’s computer also sends data to the server in the same unencrypted manner. Now, imagine the user is entering login credentials for the administration panel on the website. Therefore, they should be cautious with sensitive information, like a credit card number. As a result, this data would travel over the internet as plain data, completely unprotected.
Man-in-the-middle attacks are a real threat in such scenarios
If you do this, you expose yourself to a risk commonly known as a “Man in the Middle” attack. In simple terms, it means that a hacker stands in the middle of your communication channel. The communication will no longer be between the user and the server but between the user-hacker-server.
The hacker will intercept the data being sent to and from the server. If the data is not encrypted, you are practically handing over sensitive information to the hacker on a silver platter. Why? The hacker will receive it in plain text format, including passwords, credit card numbers, and all other sensitive user information. This puts you at potential risk.
However, if you use SSL and HTTPS, the data the hacker intercepts will be encrypted. This means the hacker won’t be able to decipher the original content, and the data will remain secure. That’s a simple explanation of why it’s essential to have SSL and use the HTTPS protocol on your website. Of course, the other side of the coin is that if you don’t use HTTPS, your payment gateway won’t work on the website, and Google will penalize you. That’s the explanation for why it is necessary to use SSL and HTTPS on your website.
Easy Activation Of SSL On Ubuntu Using Certbot
With Certbot, you can easily set up HTTPS for any of your domains, ensuring encrypted communication between your visitors and the web server. The tool also takes care of certificate renewal to keep them up-to-date and valid. Thanks to automatic renewal, you don't have to worry about this task yourself, ensuring uninterrupted secure connections for your website.
Now, let’s finally take a look at how you can set up an SSL certificate on the server. Firstly, thanks to Certbot’s functionality, it’s really straightforward and requires only basic knowledge of a Linux server. Furthermore, if you can connect to the server using SSH, you can handle it. Moreover, I assume you’ve already managed website creation. Additionally, you might have experience with the installation of PHP or other components.
So, as the first step, install the Certbot component using this command:
sudo apt install certbot python3-certbot-apache
Once Certbot is installed, double-check the domain for which you will be installing the certificate. You can find the website’s domain in the Apache configuration, usually located at:
/etc/apache2/sites-available/vase_domena.conf
Edit the configuration file and look for the lines ServerName and ServerAlias. Here, you will find the defined domain of your website, where ServerName typically represents the second-level domain, and ServerAlias is the subdomain with “www“.
Check your firewall
Since HTTPS operates on port 443 and HTTP on port 80, you must ensure that port 443 is allowed in your firewall. You can perform a simple check using the command:
sudo ufw status
This command will display the current firewall rules. If you don’t see “port 443” or “Apache Full” listed separately, you’ll need to add the rules. If you only see “Apache” in the output, you’ll have to remove that rule and create a new one for “Apache Full.” The difference is that “Apache” is only for port 80, whereas “Apache Full” covers both port 80 and 443.
To add the necessary rule, use this commands:
sudo ufw delete allow 'Apache'
sudo ufw allow 'Apache Full'
With these commands, you will first remove the classic Apache rule on port 80. Afterward, you will immediately add the Apache Full rule for both ports. If you handle rules differently, you can directly allow access for port 443.
Obtain the certificate using Certbot
Certbot provides various methods for obtaining an SSL certificate through plugins. The Apache plugin takes care of reconfiguring Apache and reloading the configuration whenever needed. To use this plugin, type the following command:
sudo certbot --apache
This script will prompt you with a series of questions to properly configure your SSL certificate. First, it will ask for your email address:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): mail@vase_domena
Next, Certbot will ask you whether you want to share your email address with the Electronic Frontier Foundation to receive updates or additional information via email. If you do not wish to subscribe to their content, type N. Otherwise, type Y. Then press ENTER to proceed to the next step.
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y
In the next step, you will be asked to inform Certbot for which domain you want to activate HTTPS. Certbot will automatically retrieve the list of domains from the Apache virtual host configuration. That’s why it’s crucial to have the ServerName and ServerAlias correctly defined in the configuration file as mentioned above.
If you want to enable HTTPS for all the listed domains (recommended), you can leave the response field empty and press ENTER to continue. Otherwise, select the domain for which you want to enable HTTPS by entering the corresponding number from the list. For multiple domains, write the corresponding numbers separated by a comma and space (1, 3, 9 …).
Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: vase_domena
2: www.vase_domena
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):
You will see the following output:
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for vase_domena
http-01 challenge for www.vase_domena
Enabled Apache rewrite module
Waiting for verification...
Cleaning up challenges
Created an SSL vhost at /etc/apache2/sites-available/vase_domena-le-ssl.conf
Enabled Apache socache_shmcb module
Enabled Apache ssl module
Deploying Certificate to VirtualHost /etc/apache2/sites-available/vase_domena-le-ssl.conf
Enabling available site: /etc/apache2/sites-available/vase_domena-le-ssl.conf
Deploying Certificate to VirtualHost /etc/apache2/sites-available/vase_domena-le-ssl.conf
Redirecting traffic from HTTP to HTTPS
Now, Certbot will prompt you to choose whether you want to enable or disable the HTTP to HTTPS redirection. This means that if someone enters your domain into the browser using HTTP, they will be automatically redirected to HTTPS traffic. The recommended option is 1 if you don’t want automatic redirection, or option 2 if you want all traffic to be directed to HTTPS only. Confirm your choice by pressing the enter key.
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
After this step, you will have completed the SSL configuration using Certbot, and you will be presented with the final details on where to find the generated files and how to test your configuration using an external tool that analyzes the authenticity of your certificate.
Congratulations! You have successfully enabled https://vase_domena and
https://www.vase_domena
You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=vase_domena
https://www.ssllabs.com/ssltest/analyze.html?d=www.vase_domena
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/vase_domena/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/vase_domena/privkey.pem
Your cert will expire on 2020-07-27. To obtain a new or tweaked
version of this certificate in the future, simply run certbot again
with the "certonly" option. To non-interactively renew *all* of
your certificates, run "certbot renew"
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
Automatic Certificate Renewal Before Expiry
The certificate is valid for only 90 days, so it’s essential to regularly renew it. However, there’s no need to worry because Certbot will take care of this for you. The Certbot package we installed at the beginning of the guide includes a renewal script located in the /etc/cron.d directory, managed by the systemctl service called certbot.timer. This script runs twice a day and automatically renews any certificate that will expire within thirty days.
If you want to make sure that the automatic renewal service is active, you can use this command:
sudo systemctl status certbot.timer
You will probably get the following output when using the command:
● certbot.timer - Run certbot twice daily
Loaded: loaded (/lib/systemd/system/certbot.timer; enabled; vendor preset: enabled)
Active: active (waiting) since Tue 2023-05-28 16:42:48 UTC; 17h ago
Trigger: Wed 2023-05-28 23:40:21 UTC; 12h left
Triggers: ● certbot.service
May 28 17:57:48 fine-turtle systemd[1]: Started Run certbot twice daily.
If you want to test the renewal process to ensure that everything is working smoothly and no issues arise, you can use this command:
sudo certbot renew --dry-run
If you don’t see any errors, your HTTPS and SSL configuration are complete, and you can congratulate yourself.
Easy Activation Of SSL On Ubuntu Using Certbot
Conclusion
As you can see, the SSL configuration was not complicated at all if you’ve reached this point. Thanks to the Certbot tool, which practically did everything for you, the installation is straightforward and involves only a few commands and configuration tests. Moreover, if this guide has helped you or if you successfully managed the entire installation process because of it, please provide feedback by rating below. Additionally, you can also leave a comment if you’d like.
The website is created with care for the included information. I strive to provide high-quality and useful content that helps or inspires others. If you are satisfied with my work and would like to support me, you can do so through simple options.
Subscribe to the Newsletter
Stay informed! Join our newsletter subscription and be the first to receive the latest information directly to your email inbox. Follow updates, exclusive events, and inspiring content, all delivered straight to your email.
