Shortdark Software Development

Converting a Website to HTTPS (Adding SSL Encryption) Tutorial

Development4th Apr 2017.Time to read: 9 mins

ApacheDebianEncryptionLet's EncryptSSL certificateTutorialUbuntuUFW

The internet is gradually becoming more and more encrypted and secure. While this is most important for websites where you might enter sensitive data, like credit card info, it is generally a good thing to have for any website. Browsers now warn surfers if a website is not encrypted. As I write this unsecure, unencrypted websites just have an exclamation mark inside a circle in the location bar, but the trend is towards this warning getting more and more visible on the surfers browser.

As well as having quality content for surfers, you can also try to not turn surfers off your content by having an unencrypted website. Maybe secure websites will rank higher than unsecured ones.

Contents

  • Setting up a SSL Certificate to make a Secure Website

  • Installing Let’s Encrypt

  • Installing Let’s Encrypt SSL Certificates

  • Modify the VirtualHost file to look for SSL Certificates

  • Redirecting to Force HTTPS Encryption

  • Checking the Expiration Date of Let’s Encrypt Certificates

  • Renewing Let’s Encrypt SSL Certificates

  • Alternative Method for Debian 8 (Certbot)

  • Troubleshooting and Checking

  • Further Checks to make your Website Secure (Green Padlock)

  • Adding more Secure websites to the same Webserver

Setting up a SSL Certificate to make a Secure Website

When trying to set up a free SSL certificate from Let's Encrypt the information I found to begin with was quite confusing. Then, once I got my head around what I was doing, the sites I tried to add it to were not able to use Let's Encrypt certificates for different reasons.

Once I finally got a VPS that could handle Let's Encrypt certificates I followed this guide... Install Let’s Encrypt to Create SSL Certificates.

I would say that starting off it is important to pay attention to detail. Make sure everything is updated to begin with, and you have all the server requirements. Also, whereas you may not have specified the IP address in your virtual host config file before, you will need to specify the IP there for this to work.

Luckily, for a Linux administration beginner there are plenty of error logs and hints to find out what if anything has gone wrong. Not all the online guides state all the pitfalls. That's why I am putting this information together in one place on how to make your website secure with SSL encryption...

Installing Let's Encrypt

To begin with, make sure port 443 is open in the firewall (see troubleshooting). In these lines of code make sure to change "example.com" to your website domain.

Start off by getting and installing the Let's Encrypt software, then use it to get the certificates. The order of the two domains in the final command are fairly important because the virtual directory containing the certificates will be named after the first domain, so you might want to use the one without www for simplicity...

sudo apt-get install git
sudo git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt

Installing Let's Encrypt SSL Certificates

Go to the directory you have cloned to when installing Let's Encrypt...

cd /opt/letsencrypt
sudo -H ./letsencrypt-auto certonly --apache -d **example.com** -d **www.example.com**

If there are any errors after the final command, it should tell you what the error is related to, but if it does not or it is unclear there are some ideas in the troubleshooting section.

Check the certificates by typing the following commands, below. The directory should be your domain instead of "example.com", if it does not exist or is misspelt then you'll have to get the certificates again as it will not work. When you get the certificates you should specify both www and non-www. Let's Encrypt does not work for wildcards so every subdomain has to be specified. If it is a subdomain with a different config file then it will need a separate set of certificates...

sudo ls /etc/letsencrypt/live/**example.com**
sudo stat /etc/letsencrypt/live/**example.com**/fullchain.pem

Modify the VirtualHost file to look for SSL Certificates

Then, once you have the certificates. Modify the config file for the website, e.g. "/etc/apache2/sites-available/example.com.conf". You can Keep the same file just change the port from 80 to 443 and the VirtualHost tags should contain the following. The file path to the certificates should be the actual paths to your certificates. And, I believe for this to work you must have the IP address in the VirtualHost tag, a wildcard will not work...

<VirtualHost **123.123.123.123**:**443**>
    SSLEngine On
    SSLCertificateFile /etc/letsencrypt/live/**example.com**/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/**example.com**/privkey.pem
</VirtualHost>

Then, make sure SSL is enabled and restart apache...

a2enmod ssl
service apache2 restart

By this stage when you go to https://www.example.com your website should work! If that's the case you can make sure that everyone gets the secure version of your site, below.

Redirecting to Force HTTPS Encryption

Once the SSL certificates are working properly you'll want to make sure everyone gets the secure version of your website. There are a few different methods to do this but perhaps the simplest for people who are new to Linux is using .htaccess. How to force HTTPS using the .htaccess file...

RewriteEngine On 
RewriteCond %{SERVER_PORT} 80 
RewriteRule ^(.*)$ **https://www.example.com/**$1 [R,L]

This will still allow https://example.com/ to work so you may choose to add another line for that.

Or, have two VirtualHost tags for ports 80 and 443 in the "/etc/apache2/sites-available/example.com.conf" file and redirect port 80 as suggested here...

<VirtualHost **123.123.123.123**:**80**>
   ServerName **www.example.com**
   ServerAlias **example.com**
   Redirect permanent / **https://www.example.com/**
</VirtualHost>

Now, you'll all done!

Checking the Expiration Date of Let's Encrypt Certificates

Let's Encrypt certificates last for 90 days, you do not want them to expire unless you want to stop encrypting the website. To check when your current certificates are du to expire type this into the terminal...

openssl x509 -noout -dates -in /etc/letsencrypt/live/**example.com**/cert.pem

Which will give you the date they were created and the date they are valid until...

notBefore=May  7 14:33:00 2017 GMT
notAfter=Aug  5 14:33:00 2017 GMT

From here there is also "ssl-cert-check" for Debian-like versions of Linux. It needs installing first if it is not already installed, so...

apt-get install ssl-cert-check

Then, run it by typing this simple code (needs superuser privileges so use "sudo")...

ssl-cert-check -c /etc/letsencrypt/live/**example.com**/cert.pem

Which gives something like this...

Host  Status  Expires  Days
---------------------------------------------------------------------------
FILE:/etc/letsencrypt/live/example.com/cert.pem  Valid  Aug 5 2017  90

Renewing Let's Encrypt SSL Certificates

To renew the Let's Encrypt certificates, navigate to the Let's Encrypt directory... cd /opt/letsencrypt.

Then, this is one way to renew the certificates...

sudo service apache2 stop
sudo -H ./letsencrypt-auto certonly --standalone --renew-by-default -d **example.com** -d **www.example.com**
sudo service apache2 restart

The "standalone" flag means that you would have to stop apache because Let's Encrypt needs to be the only application using port 443.

However, by using --apache or --webroot you can do the same thing while apache is running, from here. This may reload or restart apache but apache would not be stopped for nearly as long as it would be if apache was manually stopped and then restarted again at the end...

sudo -H ./letsencrypt-auto certonly --apache --renew-by-default -d **example.com** -d **www.example.com**

To automatically renew the Let's Encrypt certificates one a month, enter this command to make a monthly task in your crontab...

echo '@monthly root /opt/letsencrypt/letsencrypt-auto certonly --quiet --apache --renew-by-default -d example.com -d www.example.com >> /var/log/letsencrypt/letsencrypt-auto-update.log' | sudo tee --append /etc/crontab

To automatically renew the Let's Encrypt software, enter this command...

echo '@monthly root cd /opt/letsencrypt && git pull >> /var/log/letsencrypt/letsencrypt-auto-update.log' | sudo tee --append /etc/crontab

Alternative Method for Debian 8 (Certbot)

Another way is to install the Let's Encrypt certificates is to install Certbot on Debian 8 using Backports... How to Set Up Let’s Encrypt Certificates for Multiple Apache Virtual Hosts on Ubuntu 14.04.

sudo nano /etc/apt/sources.list

Then, enter this line if it is not already there...

deb http://ftp.debian.org/debian jessie-backports main

Save and exit nano, then...

sudo apt-get update
sudo apt-get upgrade
sudo apt-get install python-certbot-apache -t jessie-backports

Troubleshooting and Checking

Check which sockets are open using ss (socket statistics)...

ss -tlnp

More information on ss here.

Check apache version and check which modules are installed

apache2 -v
apache2ctl -M

or

dpkg-query -l

For your second secure website on the same webserver you will have already enabled the SSL module and port 443 will already be serving your first website to the world. When you try to install the certificate for the second website there may be problems if you are using the --standalone flag, because Let's Encrypt wants to use the same port as is already serving the website. To continue using --standalone you can stop Apache for a few seconds while you install the certificates.

service apache2 stop

Then, once the Let's Encrypt certificates are done, you can restart Apache again...

service apache2 restart

To avoid having to stop and start apache like this on a production website you can use the --apache flag instead.

If you are using UFW as a firewall, the following command will show you whether socket 443 is allowed...

sudo ufw status

Also, Apache problems when trying to set up SSL (Debian).

Further Checks to make your Website Secure (Green Padlock)

If your website is working with HTTPS in the location bar ("https://www.example.com/") but you do not have a green "SECURE" you have an "i" with a circle around it, check to see what it says by clicking on it. If it says you are not fully secure it probably means that the files and/or images you are linking to are not using the SSL encrytion. To fix this simply either fix your absolute image/file locations by changing them from HTTP to HTTPS, or just use relative linking.

Another thing that may cause errors is your .htaccess file, if you have one. Make sure that the error documents are all updated from http:// to https:// for the site in qustion.

Adding more Secure websites to the same Webserver

When "Let's Encrypt" is already installed you do not have to re-install it, you can simply create the new certificates for the next website you want to make secure. When you are trying to create the certificates there may be an error saying that port 443 is already in use. In this case, you may have to stop apache briefly while you make the certificates, then restart apache as soon as they're made.


Previous: Setting up a Linux Webserver with SSH in 20 Steps (Debian 8)Next: Installing Laravel on Debian 8 with PHP 7.0