ScanSkill
Sign up for daily dose of tech articles at your inbox.
Loading

Free SSL On Ubuntu Server Using Certbot (With Custom Domain)

Free SSL On Ubuntu Server Using Certbot (With Custom Domain)
Free SSL On Ubuntu Server Using Certbot (With Custom Domain)

Let’s Encrypt’s Certbot is a tool to secure the entire internet. If you have gone through the trouble of setting up a secure website, you know what a hassle getting and maintaining a certificate is. Certbot and Let’s Encrypt can automate away the pain and let you turn on and manage HTTPS with simple setup commands. It’s totally free to use.

It’s not required to use Let’s Encrypt to obtain an SSL, you have the flexibility to use any Certificate Authority you choose.

This is the tutorial to help you to install free ssl on ubuntu 20.04 Linux system.

Prerequisites:

  • A running Ubuntu 20.04 system with non-root, sudo enabled user.
  • A fully registered domain name pointed to the ubuntu 20.04 server.
  • Server running engine Nginx or apache. (We will use Nginx for this tutorial)
  • Ports 80(HTTP) or 443(HTTPS) must be opened on your server.

Note: Installation method is the same for Apache too, only the plugins used are different.

Free SSL on Ubuntu Server Using Certbot:

1. Installing Certbot

Snap package is the easiest way for installing Certbot on the Ubuntu system. Snap packages work on nearly all Linux flavors, but they required that you’ve installed snapd first in order to manage snap packages. Actually, Certbot is a third-party service that makes it easier to install Let’s Encrypt. First SSH to the server, update the repository server:

sudo apt update && upgrade -y

After the system has been successfully updated and upgraded, download services or packages that support(is required) the running of Certbot Let’s Encrypt.

sudo apt install certbot python3-certbot-nginx

Once done, confirm the Nginx Virtualhost configuration. The Nginx virtualhost is the one that guarantees success in installing Let’s Encrypt. And Certbot will check Nginx to generate SSL using Let’s Encrypt.

2. Nginx Virtualhost configuration

To create a Certbot SSL certificate, make sure the domain or subdomain is registered on the Virtualhost Nginx web server.

Open the file vim /etc/nginx/sites-available/your_domain.conf and edit server_name with your domain.

vim /etc/nginx/sites-available/your.domain.conf
...
...
server {
         listen 80 default_server;
         root /var/www/html;
         
         index index.html index.htm index.nginx-debian.html;
         server_name your.domain.com
         return 404;
...
...

If server_name matches the target Let’s Encrypt is going to register. Test the Nginx service.

Nginx testing:

After the configuration has been saved, use the following command to check the status:

nginx -t

On correct configuration output will be:

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

Restart the Nginx service:

sudo systemctl restart nginx

3. Allow HTTPS

You have to open ports 80 and 443, namely HTTP and HTTPS so that you can enter and exit the server through the firewall.

Check the firewall status:

sudo ufw status

If you have an inactive firewall, you skip to the next step. But firewall turn on is recommended since it protects the server from external attacks.

Now, add permissions for ports 80 and 443 i.e HTTP and HTTPS:

sudo ufw allow http
sudo ufw allow https
sudo ufw allow ssh

Then enable Firewall/UFW:

sudo ufw enable

check status:

sudo ufw status

The output will be:

Status: active

To                         Action      From
--                         ------      ----
80/tcp                     ALLOW       Anywhere
443/tcp                    ALLOW       Anywhere
244                        ALLOW       Anywhere
80/tcp (v6)                ALLOW       Anywhere (v6)
443/tcp (v6)               ALLOW       Anywhere (v6)
244 (v6)

Finally, you can run Certbot and generate certificates.

4. Generate SSL

Since we’re using Nginx plugin we can create a certificate for DNS your.domain.com as:

sudo certbot --nginx -d your.domain.com

Which will create a certificate for the domain we are requesting, answer some questions for SSL. (email, agree terms, etc.) After that Let’s Encrypt SSL certificate will be generated in /etc/nginx/sites-available/ directory for your domain.

Output

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel):

The certificate is only valid for 90 days, we must renew the certificate every time it expires.The good thing is Certbot that has been installed already provides a service for updating scrips to cron-job (/etc/cron.d/).

sudo systemctl status certbot.timer

The output will be:

Free SSL on Ubuntu Server using Certbot with custom domain
Free SSL on Ubuntu Server using Certbot with a custom domain

This command will run twice a day and will renew every 30 days from the expiration date.

Test the update and ensure the renewal process works:

sudo certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/your.domain.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for your.domain.com
Waiting for verification...
Cleaning up challenges

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed with reload of nginx server; fullchain is
/etc/letsencrypt/live/your.domain.com/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/your.domain.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for your.domain.com
Waiting for verification...
Cleaning up challenges

If the automatic renewal fails, Certbot sends an error message to the email that was registered at the time of generating the certificate.

Encrypted keys for your custom domain will be stored in /etc/letsencrypt/live/your.domain.com/fullchain.pem and letsencrypt/live/your.domain.com/privkey.pem. Which can be used as certificate files to encrypt custom associated domains manually.

That’s it. You have successfully configured free SSL on Ubuntu server using Certbot and custom domain.

Thank you!

Sign up for daily dose of tech articles at your inbox.
Loading