Enabling Encryption (SSL) on Apache and Nginx

      No Comments on Enabling Encryption (SSL) on Apache and Nginx

Encrypting the connections to your website will help you keep your customer’s data safe and secure. Without encryption, a malicious actor could sniff the connection of your users and intercept the packets in transit.

The Secured Socket Layer (SSL) prevents data from being intercepted between the client and the server. Here are some of the most common reasons why a server should always deliver content using secured pages:

– Protect user identities and passwords

– Protect credit card transactions and other sensitive information during online purchases

– Allow users to safely view personal and business financial information

– Prevents a connection from being sniffed by a “Man in the Middle.”

Getting Started with Encrypted Connections to Your Website

In order to encrypt the connection between a client and the server, you will need to have a valid security certificate installed on your server.

In this article we will show you how to set up a TLS/SSL certificate from “Let’s Encrypt” on an Ubuntu 16.04 server running Apache and Nginx as a web server. In addition, we will also cover how to automate the certificate renewal process using a CRON job.

In order to install the Let’s Encrypt client, we will need to download and install git. You can do this using the following command:

> sudo apt-get install git

We can now download the Let’s Encrypt client from its official repository. We will place the files in a specific directory to facilitate the update process when a new release is available.

Since “Let’s Encrypt” client is still in beta, it’s important to keep the client updated to correct bugs and obtain new functionality.

We will clone the Let’s Encrypt repository under /opt using the following command:

> sudo git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt

The commands to update the repository are the following:

> cd /opt/letsencrypt

> sudo git pull

We recommend that you execute these commands often in order to keep the client always up to date.

Now that we have our Let’s Encrypt client installed, the next step is to generate the SSL Certificate. The next steps are different depending on your web server. We will cover Apache first and but if you need tips for installing SSL on Nginx, go ahead and scroll down to the Nginx section.

APACHE

Access the letsencrypt directory with the following command:

> cd /opt/letsencrypt

Assuming we are installing the certificate for the domain example.com, to execute the interactive installation and obtain a certificate run the letsencrypt-auto command:

> sudo ./letsencrypt-auto –apache -d example.com

If you want to install a single certificate that is valid for multiple domains or sub domains, you can pass them as additional parameters to the command. The first domain name is the base domain, so we recommend that you pass the bare top-level domain name as first in the list, followed by any additional sub domains or aliases:

> sudo ./letsencrypt-auto –apache -d example.com -d www.example.com

After the dependencies are installed, you will be asked for:

– An email address for lost key recovery and notices

– To Agree with the Terms of Service

– To choose between enabling both http and https access or forcing all requests to redirect to https

We do recommend that you enforce HTTPS, unless you have a specific need for unencrypted HTTP traffic. Once the installation is finished, you will find the generated certificate files in the following directory:

> /etc/letsencrypt/live

You can verify the status of your SSL certificate with the following link replacing example.com with your base domain:

https://www.ssllabs.com/ssltest/analyze.html?d=example.com&latest

You are now able to access your website using a HTTPS prefix, but there is one more step before finishing your installation. Since Let’s Encrypt certificates are valid for 90 days, it is recommended to renew the certificates every 60 days to allow a margin of error. We can do this using the renew command:

> sudo ./letsencrypt-auto renew

Since we recently installed the certificate, the command will only check for the expiration date and print a message informing that the certificate is not due to renewal yet.

NGINX

In order to install the certificate on Nginx, unlike the Apache software, we will need to manually configure the web server to use it once it will be generated. We will use the Webroot plugin to request an SSL certificate using the following command:

> cd /opt/letsencrypt

> sudo ./letsencrypt-auto certonly -a webroot –webroot-path=/var/www/html -d example.com -d www.example.com

Make sure that you replace “/var/www/html” and “example.com” with the appropriate webroot path and domain name(s).

Once you execute the second command, the dependencies will be installed and you will be asked for:

– An email address for lost key recovery and notices

– To Agree with the Terms of Service

Once the installation is finished, you will find the generated certificate files in the following directory:

> /etc/letsencrypt/live

Let’s now create a new Nginx configuration snippet in the /etc/nginx/snippets directory. Execute the following command (replace vim with your favorite editor):

> sudo vim /etc/nginx/snippets/ssl-example.com.conf

And add the following lines in the file before saving and exiting (remember to replace example.com with your domain both in the name of the file and in the lines):

ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;

ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

Once this is done, we will only need to change the default configuration of Nginx in order to add the certificate. We recommend that you create a backup of the default configuration using the following command, before starting to edit the main file:

> sudo cp /etc/nginx/sites-available/default /etc/nginx/sites-available/default.bak

Use your favorite editor to change the main configuration (/etc/nginx/sites-available/default) file as following:

server {

listen 80 default_server;

listen [::]:80 default_server;

server_name example.com www.example.com;

return 301 https://$server_name$request_uri;

}

server {

listen 443 ssl http2 default_server;

listen [::]:443 ssl http2 default_server;

include snippets/ssl-example.com.conf;

}

In this example we are assuming that you do not want to allow any connections that are not SSL. If you want to keep both types of connections available, use the following configuration:

server {

listen 80 default_server;

listen [::]:80 default_server;

listen 443 ssl http2 default_server;

listen [::]:443 ssl http2 default_server;

 

server_name example.com www.example.com;

include snippets/ssl-example.com.conf;

}

We can now check if there are any syntax errors in our files using the following command:

> sudo nginx -t

If everything is successful, we are now ready to reload the web server and start serving pages with SSL:

> sudo systemctl restart nginx

RENEW

In order to ensure your certificates won’t get outdated, it is a good practice to create a CRON job that will periodically execute the command. We recommend that you create a CRON job that runs at least every week. You can easily do that using the following command:

> sudo crontab -e

You will also want to include the following line in your CRONTAB file:

> 00 3 * * 1 /opt/letsencrypt/letsencrypt-auto renew >> /var/log/certificate-renew.log

This will execute the command every Monday at 3:00 AM appending the output produced to the following log file /var/log/certificate-renew.log, allowing you to check and track errors.

FIREWALL

In both cases remember to make sure that your firewall has the TCP port 443 open. In order to enable it you might have to use the following command:

> sudo iptables -I INPUT -t tcp –dport 443 -j ACCEPT

Save your configuration and you should be all set. With this tutorial on SSL for your website, you can begin using encrypted connections that will protect the personal data of your customers as it traverses over the internet.

Leave a Reply

Your email address will not be published. Required fields are marked *