Secure your Website with Let’s Encrypt free SSL
one of the most important question about SSL is
Why should I use SSL/TLS?
Think about it like this, what will happen if you send a letter through the traditional post without sealing the envelope. Well, some gentlemen will just ignore, some curious person may take a peek inside. But what if he is a malicious person? what if he misuses the information he got from the letter. You are in trouble that is the short answer. To avoid that you seal your letter with some glue. SSL is like that. Instead of glue, it uses a powerful encryption. SSL make sure the data is secure till it reaches the destination server. Without SSL encryption anyone can steal your data. Data like credit card and Banking information.
Google prefers Secured websites
Another reason to consider, Google search prefers secured websites over non-secured. So it will improve your standing in the search engine.
Pretty soon SSL/TLS certification will be a must if want your site get indexed, so why wait. Secured websites are now not the future but the present. SSL was the encryption protocol used to encrypt your data, But today TLS holds that place. TLS encryption was much more robust than SSL. Getting a free SSL service now very attainable with Let’s Encrypt.
Let’s Encrypt is a free, automated, and open certificate authority (CA), run for the public’s benefit. It is a service provided by the Internet Security Research Group (ISRG). Their goal is to give people free SSL certificates they need to enable HTTPS (SSL/TLS) for websites. So I decided to give Let’s Encrypt, A free SSL/TLS service a try.
What is SSL?
SSL (Secure Sockets Layer) is the security protocol for establishing an encrypted link between a web server and a browser. This link ensures that all data passed between the web server and browsers remain private and integral. To be able to create an SSL connection a web server requires an SSL Certificate.
What is TLS?
TLS (Transport Layer Security) is an updated, more secure, version of SSL. Let’s say TLS is a juiced up version of SSL. SSL is now depreciated by the Internet Engineering Task Force (IETF)
Paid SSL vs Free SSL
Free SSL certificate provides the same level of encryption as the paid ones. Though paid certificates come with a dedicated support system, Warranty, and longer validity. Free SSL certificates only provide basic domain verification which is enough most of the websites.
Before you try to install Let’s Encrypt make sure you have the following prerequisites.
- Deployed a Bitnami application either in Google cloud platform or AWS. And the application is available at a public IP address.
- Admin level access to your server.
- You own a domain name. [If you don’t own a domain name, get a $0.99 .com domain from here]
- Configured the domain name’s DNS record to point to the public IP address of your Bitnami application instance.
Web Host: Bitanmi with Google cloud PLatform
OS: Linux Debian
Web server: Apache
Other: WordPress, MySql
So now you got a grasp on what you needed, and what you need to know we are moving to the first step.
Step 1: Install The Lego Client
The Lego client simplifies the process of Let’s Encrypt certificate generate. To use it, follow these steps:
- Log in to the server console.
- Once the ssh shell window opened, run the following command
cd /tmp curl -s https://api.github.com/repos/xenolf/lego/releases/latest | grep browser_download_url | grep linux_amd64 | cut -d '"' -f 4 | wget -i -
Note the downloaded file name. run tar command to extract the contents of the file
tar xf lego_v1.0.1_linux_amd64.tar.gz
Remember Do not blindly copy paste, check the file name on your console with ls command.
After this, move the file to your bin folder. Again make sure you are copying the correct file.
The downloaded file unzipped three files using the tar comment. Here lego is the executable file we need. so copy it into the bin folder.
sudo mv lego /usr/local/bin/lego
Step 2: Generate A Let’s Encrypt Certificate For Your Domain
The next step is to generate a Let’s Encrypt certificate for your domain.
- Turn off all Bitnami services:
sudo /opt/bitnami/ctlscript.sh stop
[Caution: running the above command will stop all web server services. It means your website will be temporarily down]
Request a new certificate for your domain as below. Remember to replace the DOMAIN placeholder with your real domain name, and the EMAIL-ADDRESS placeholder with your email address.
sudo lego --email="EMAIL-ADDRESS" --domains="DOMAIN" --path="/etc/lego" run
sudo lego --email="email@example.com" --domains="timeofai.com" --path="/etc/lego" run
Agree the terms of service, voilà your certificates are now be generated in /etc/lego/certificates . This set includes the server certificate file DOMAIN.crt and the server certificate key file DOMAIN.key.[in this case timeofai.crt and timeofai.key].
An output message will give some information, including the expiry date of the certificate. Note this expiry date carefully as you will need to renew your certificate before that date in order for it to remain valid.
Step 3: Configure The Web Server To Use The Let’s Encrypt Certificate
Well you generated the certificates, Now you have to tell the web server that Yup, I got the certificates here you can have it, So how we are going to do this
- Link the new SSL certificate and certificate key file to the correct locations, depending on which Web server you’re using.
[Note: Remember to replace the DOMAIN with your domain name eg: timeofai.com.key, timeofai.com.crt]
For Apache Server:
sudo mv /opt/bitnami/apache2/conf/server.crt /opt/bitnami/apache2/conf/server.crt.old sudo mv /opt/bitnami/apache2/conf/server.key /opt/bitnami/apache2/conf/server.key.old sudo mv /opt/bitnami/apache2/conf/server.csr /opt/bitnami/apache2/conf/server.csr.old sudo ln -s /etc/lego/certificates/DOMAIN.key /opt/bitnami/apache2/conf/server.key sudo ln -s /etc/lego/certificates/DOMAIN.crt /opt/bitnami/apache2/conf/server.crt
Again Make sure you replaced the DOMAIN with your domain name
Update the file permissions.
sudo ls /etc/lego/certificates sudo chown root:root /opt/bitnami/apache2/conf/server* sudo chmod 600 /opt/bitnami/apache2/conf/server*
For Nginx Server:
sudo mv /opt/bitnami/nginx/conf/server.crt /opt/bitnami/nginx/conf/server.crt.old sudo mv /opt/bitnami/nginx/conf/server.key /opt/bitnami/nginx/conf/server.key.old sudo mv /opt/bitnami/nginx/conf/server.csr /opt/bitnami/nginx/conf/server.csr.old sudo ln -s /etc/lego/certificates/DOMAIN.key /opt/bitnami/nginx/conf/server.key sudo ln -s /etc/lego/certificates/DOMAIN.crt /opt/bitnami/nginx/conf/server.crt sudo chown root:root /opt/bitnami/nginx/conf/server* sudo chmod 600 /opt/bitnami/nginx/conf/server*
You have done it, You successfully integrated the SSL file to your web server. One more thing, You have to restart all your services with
sudo /opt/bitnami/ctlscript.sh start
This will start your web server.
now visit your website with an https prefix, and click on the lock symbol
You can click on the certificate link to see the certificate information. There you have it you secured your website with an SSL/TLS certificate. But remember it is a short validity certificate. so you have to renew every 90 days.
Let’s Encrypt certificates are only valid for 90 days. To renew the certificate before it expires, run the following commands from the server console as the bitnami user. Remember to replace the DOMAIN placeholder with your actual domain name, and the EMAIL-ADDRESS placeholder with your email address.
sudo /opt/bitnami/ctlscript.sh stop sudo lego --email="EMAIL-ADDRESS" --domains="DOMAIN" --path="/etc/lego" renew sudo /opt/bitnami/ctlscript.sh start
You can also automate the option, write a script and schedule a cron job to run it periodically.
To do this, Create a script at /etc/lego/renew-certificate.sh with following contents.
sudo vim /etc/lego/renew-certificate.sh
#!/bin/bash sudo /opt/bitnami/ctlscript.sh stop apache sudo /usr/local/bin/lego --email="EMAIL-ADDRESS" --domains="DOMAIN" --path="/etc/lego" renew sudo /opt/bitnami/ctlscript.sh start apache
As always remember to replace the DOMAIN placeholder with your actual domain name, and the EMAIL-ADDRESS placeholder with your email address.
- Make the script executable with
chmod +x /etc/lego/renew-certificate.sh
- Execute the following command to open the crontab editor:
sudo crontab -e
- Add the following lines to the crontab file and save it:
0 0 1 * * /etc/lego/renew-certificate.sh 2> /dev/null
Ok let’s Breath a little, you have done a huge part in configuring SSL in your website. There is still something left to do like.
- Add https:// in the WordPress backend
- Update the site address in Dashboard
- Change the content links
- Configure 301 Redirects in .htaccess
Read all about it from here
See you soon
Disclaimer: All trademarked names belong to the respective corporation/owner. The Author is not responsible for any damage that may Occurs while trying out the content.
Originally published at timeofai.com on June 20, 2018.