I spent 6 hours the other night trying to figure out why my web server was refusing connections. Turns out web browsers really hate HTTP traffic now. This is a guide on how to prevent you from having to go through the same scenario I did.
If you’re creating and hosting your own website with a service like Linode, chances are you’ll start off without an SSL certificate. This means you’ll be using regular HTTP to serve web pages over port 80. HTTP is an insecure protocol that transfers unencrypted data. If your website handles any kind of user data like passwords or payment information, that’s a big no-no. Another big problem with HTTP is that there’s no authentication; there’s no way for your website to prove it’s who it claims to be. This opens up your website to attacks like domain spoofing or DNS hijacking. Google has also started to prioritize websites using HTTPS over those using HTTP in their search results. Needless to say, you definitely want to be using HTTPS if you’re at all serious about your website.
Let’s Encrypt is a free, open-source Certificate Authority (CA) that you can use to obtain a certificate and enable HTTPS for your website. Certbot is the free, open-source tool made by the Electronic Frontier Foundation (EFF) we’ll be using to automate the process. It’s fairly straightforward, but hopefully this guide makes it a little easier.
Let’s get started!
Requirements for following along:
- Ubuntu 20.04 LTS
- root access either locally or through SSH
- Apache HTTP server 2.4 or later
- An HTTP website that’s already publicly accessible (via IP address or domain name)
- A .conf file for your site in
/etc/apache2/sites-availablethat specifies aServerName
1. Log in to your server.
Make sure you log in as a user with sudo privileges!
2. Remove all pre-installed or existing Certbot packages to prevent the wrong package from being used accidentally.
sudo apt remove certbot3. Install Certbot
sudo apt install certbot python3-certbot-apache4. Run Certbot
Be sure to use the --apache flag
sudo certbot --apacheCertbot will prompt you for an email address for renewal and security notices. Be sure to provide a reachable address that you check often.
Accept the terms of service and answer yes/no on if you would like to receive emails from the EFF regarding their efforts in supporting a free and secure Internet.
You will then be prompted to select which sites you would like to activate HTTPS for. This is why it’s important to have a .conf file in /etc/apache2/sites-available for your site. Certbot reads these files and uses them to issue SSL certificates. Enter a number to select a site, or simply press Enter to select all sites shown.
5. Wait!
This is where the magic happens. Certbot automatically verifies that you own the domain name that you’re attempting to obtain a certificate for and issues it automatically!
6. Redirect HTTP traffic to HTTPS
Choose option 2 to redirect all traffic from HTTP to HTTPS (from port 80 to port 443). Certbot will change your existing .conf files to redirect traffic. No extra work necessary. Easy peasy.
This is where I was having problems. Previously, I was using Cloudflare’s name servers for DNS, and Cloudflare will automatically encrypt traffic. I had never obtained an SSL certificate on my own and was using the one Cloudflare issued automatically. Once I changed my name servers to Linode’s, my traffic was no longer being served over HTTPS and my site threw a fit.
7. You’re done!
That’s it! Take note of where Certbot saved your keys and certificates in case you need them later. Another important thing to note is the expiration date of your certificate. Apple is now rejecting certificates that have a maximum expiration date greater than one year from their issuance. However, this shouldn’t be a problem when using Certbot. Certbot gives you a certificate that’s valid for 3 months by default (if you know of a way to change this, let me know). Also, I’m fairly certain Certbot will automatically renew certificates on its own, but I’ll make another guide at a later time on how to do this on your own using a cron job.
Hope this helped! I’ll continue to do write-ups on projects I’m working on.