Installing free SSL certificates with Let's Encrypt
How you can secure your website with an SSL certificate using the latest Open Certificate Authority, Let’s Encrypt.
By Luke Whitehouse on
Let's Encrypt is an Open Certificate Authority created by the Internet Security Research Group (ISRG), a non-profit organisation dedicated to improving the security of the digital infrastructure we now take for granted, in a time where our privacy is being threatened on all fronts.
This tutorial will teach you how to secure your website from such privacy concerns and in doing so reap the additional benefits that a website gains by running over HTTPS.
After installing SSL certificates in the past I know only too well the struggles that one can face, but when looking into Let's Encrypt for Assortment, I was pleasantly surprised to find just how it simple it was to setup; something I'm sure you'll all echo at the conclusion of this post.
Now I appreciate there may be some of you still unsure what an SSL certificate actually is, or more importantly what it does. If that's you, stick around for the next section of this post and I'll explain exactly that, otherwise feel free to skip to the tutorial itself.
What is an SSL certificate?
Defined officially as a 'Secure Socket Layer', an SSL certificate is a piece of technology that allows your users to establish a secure connection between themselves and your website (or rather the server it is hosted on), encrypting any messages or other information sent back and fourth between the two.
When going to a website you request the contents of that page from the server it is hosted on. In turn, the server will then answer your call with the requested content for you to download and display in your browser.
However, when requesting secure content from a website behind an SSL certificate, you in turn request a level of validation from the website's server in order to verify it's authenticity before downloading any files. This verification is typically conducted by a third-party organisation known as a Certificate Authority, just like Let's Encrypt.
In essence you can treat an SSL certificate as a middleman that ensures everyone is safe and secure while transactions take place. In this case the transaction of web page files.
I hope this provides a loose meaning to what an SSL certificate is and how it works but should you have any question feel free to leave a comment at the bottom of this post.
With that in mind let's continue on with the tutorial.
Setting up Certbot
In order to create our SSL certificate, we will be installing a piece of software onto the server called Certbot.
Certbot is an easy-to-use automatic client that fetches and deploys SSL/TLS certificates for your webserver. Certbot was developed by EFF and others as a client for Let’s Encrypt and was previously known as “the official Let’s Encrypt client” or “the Let’s Encrypt Python client.” Certbot will also work with any other CAs that support the ACME protocol.
This will help automate our certificate requests and in the future help us automate them through the use of Cron jobs.
NOTE: Cron jobs are tasks that help schedule operations to occur at certain times.
Prerequisites
For this tutorial you will need a few things setup:
- As these commands need to be run on your server, you must make sure you have SSH access to your server with root level access;
- and the site you would like to be setup must already have vhosts setup on the server, here's a great guide over on Digital Ocean to show you how to do that for a Ubuntu LAMP stack.
- Finally, the site's DNS records must be pointing to your server, pretty much meaning the website must be live on your server, unless this is a completely new domain.
Got all that? Sorted? Cool, let's continue on with the post.
Installation
Installing Certbot will depend heavily on the Operating System and Web Server you're running, you'll find instructions for each setup on the Certbot website.
I'll be demonstrating this through my server, running Apache on Ubuntu 16.04 (trusty) and using my portfolio as an example site to encrypt.
NOTE: The following steps are only for Apache on Ubuntu 16.04 (trusty).
First of all download the Certbot package using apt-get
.
$ sudo apt-get install python-letsencrypt-apache
Once installed, I'll run the letsencrypt
command for apache.
$ letsencrypt --apache
You'll now be taken through a series of GUI-like questions, you can proceed through these by using:
- Arrow keys for navigation
- Spacebar for selection
- Enter for submission
The first question will ask you to tick the domains you'd like to encrypt. I'm going to assume you're not encrypting a subdomain so be sure to encrypt both www.
and non-www.
for those SEO gains.
Next, you'll also be given the option to limit traffic only to HTTPS or to allow both HTTPS and HTTP. Depending on your website's goals you may opt for the more secure option, however, for 99% of cases I'd recommend going with the more flexible option of the two, as we can handle any redirects within our .htaccess
file or similar depending on your setup.
That's pretty much it, you've successfully installed your SSL certificate. Easy right? Almost too easy.
To test this, go to your website over HTTPS (https://yoursite.com) and check the search bar for your padlock icon. Happy days!
Redirecting traffic to HTTPS
Now that we have our website setup behind an SSL certificate, we need to drive our users through it, as currently they can access both the secure and non-secure sites. As I mentioned in the previous section, we didn't go down the route of only allowing traffic through HTTPS as some users may try to go to the non-https equivalent.
Within my last post on Common .htaccess Redirect Rules I demonstrated how to redirect all traffic to HTTPS, so feel free to paste one of those solutions into your site's .htaccess
file.
Renewing your certificate
One of the big differences between a normal Certificate Authority and Let's Encrypt is the renewal dates. As Let's Encrypt is an automated approach to SSL Certificates, they can only be issued for 90 days. This means that just before 90 days you need to make sure you renew your certificate. In addition, there are times where Let's Encrypt may need to revoke current certificates for security reasons, so its recommended to setup a cron job on your server to check for a renewal every day.
Luckily, Certbot makes renewals easy with the renew
command. When running said command Certbot will check whether or not any Certificates on your server are up for renewal and if so they will be renewed.
$ letsencrypt renew
NOTE: Again, please remember the exact naming of these commands will depend on your server's setup.
Testing renewals
You can also test that the renewal command is working correctly by creating a test run using the --dry-run --agree-tos
flags.
$ letsencrypt renew --dry-run --agree-tos
Assuming this went through successful, you'll end up with something like what I end up with testing this blog's certificate.
sshuser@assortmentserver:~$ letsencrypt renew --dry-run --agree-tos
Requesting root privileges to run certbot...
/home/sshuser/.local/share/letsencrypt/bin/letsencrypt renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log
-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/www.assortment.io.conf
-------------------------------------------------------------------------------
Cert not due for renewal, but simulating renewal for dry run
Starting new HTTPS connection (1): acme-staging.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for www.assortment.io
tls-sni-01 challenge for assortment.io
Waiting for verification...
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/0003_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0003_csr-certbot.pem
** DRY RUN: simulating 'letsencrypt renew' close to cert expiry
** (The test certificates below have not been saved.)
Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/www.assortment.io/fullchain.pem (success)
** DRY RUN: simulating 'letsencrypt renew' close to cert expiry
** (The test certificates above have not been saved.)
Automating renewals
The Certbot website recommends that you setup a Cron job (or your server's equivalent) that runs the letsencrypt renew
command daily to ensure that your website does not go down.
Note: if you're setting up a cron or systemd job, we recommend running it twice per day (it won't do anything until your certificates are due for renewal or revoked, but running it regularly would give your site a chance of staying online in case a Let's Encrypt-initiated revocation happened for some reason). Please select a random minute within the hour for your renewal tasks.
To do this using Cron, we'll open up our list of current Cron jobs running on our server.
$ crontab -e
When editing this file in one of your server's text editors, go to the last line and paste in the following:
0 5,22 * * 0,1,2,3,4,5,6 letsencrypt renew >> /var/log/ssl-renewals.log
Saving that file will setup a Cron job to run every day at 5am and 10pm. You can always change this to whatever you'd like by changing the command you added to your list. Personally, I can never remember the Cron syntax so I use an online editor such as www.crontab-generator.org.
Concluding thoughts
I hope this quick tutorial helps you to understand what an SSL certificate is a little more and how you can even set one up for your own site. Here's to many more free SSL certificates in the future!
Until next time ✌