Enable HTTPS On Your Website With Let’s Encrypt

There’s no question that secure communications is critical. On the web, this is done using HTTPS. HTTPS is secure extension of the HTTP. In HTTPS, communications is encrypted using Transport Layer Security (TLS), or its deprecated predecessor, Secure Sockets Layer (SSL).

TLS uses a public key encryption scheme where you have a public and private key pair. The web server provides they public key which the web browser can use to encrypt communications with. The public key is signed to certify the identity of the web server owning the key. This gives you the public key certificate or just simply certificate.

You can self-sign (or self-certify) just so you can encrypt communications and that’s fine if your dealing with yourself or parties who trust you and your self-signed certificate (e.g. your own systems or employees). But if you deal with other parties (e.g. other systems or customers) you need a certificate from a certificate authority (CA), a trusted entity that signs keys and issues certificates. 

Let’s Encrypt is a free, automated, and open certificate authority brought to you by the non-profit Internet Security Research Group (ISRG). They provide certificates absolutely free. The certificates expire in 90 days, but they can be automatically renewed using Certbot. There’s simply no excuse not to have a secure site. And it’s so easy to boot. There are step-by-step instructions for almost every web server and operating system combination at the Certbot page.

Here are the steps for getting certificates using Ubuntu and Apache:

  1. Add the Certbot apt repository
    • sudo add-apt-repository ppa:certbot/certbot
    •  
  2. Update the repository
    • sudo apt-get update
  3. Install Certbot from the new repository with apt-get:
    • sudo apt-get install python-certbot-apache
    •  
  4. Obtain a certificate for your domain

This give your certificates for your new files and configures Apache automatically. But you should be able to find the certificate files for other purposes (see below) at /etc/letsencrypt/live/example.com

The certificate only last for 90 days. However, Certbot takes care of this problem by running certbot renew twice a day via a systemd timer or cron. We can also manually test renewal:

  • sudo certbot renew –dry-run

BONUS: If you’re using Dovecot https://www.dovecot.org/, you can also use the certificate:

  1. Edit /etc/dovecot/conf.d/10-ssl.conf:
    • ssl_cert = /etc/letsencrypt/live/example.com/fullchain.pem
    • ssl_key = /etc/letsencrypt/live/example.com/privkey.pem
  2. Restart dovecot:
    • sudo service dovecot restart

That’s it! You now have a secure website and email server.

Set Up HTTPS In Apache

Setting up HTTPS,  is also easy. As usual, open up httpd.conf found in the conf directory of your Apache installation directory.

First, you need to enable the SSL module. Make sure to uncomment the line that loads mod_ssl.so:

LoadModule ssl_module modules/mod_ssl.so

To support HTTPS, you normally would listen to port 443. You need to register it as a port that Apache listens on. After the line that says “Listen 80” add:

Listen 443

If your server has multiple IP addresses,  you can also listen to specific address and port combinations:

Listen 10.0.0.1:443
Listen 10.0.0.2:443

You will then need to define a virtual host for your secure server:

<VirtualHost *:443>
   ServerAdmin [email protected]
   DocumentRoot /www/docs/www.example.com
   ServerName www.example.com
   ErrorLog logs/www.example.com-error_log
   CustomLog logs/www.example.com-access_log common
   SLEngine On
   SSLCertificateFile /etc/httpd/conf/ssl.crt/cert.pem
   SSLCertificateKeyFile /etc/httpd/conf/ssl.key/key.pem
</VirtualHost>

<VirtualHost *:443> means this virtual host will handle HTTPS requests on any IP.

You will need a server certificate and key. Let’s say you have them as cert.pem and key.pem. Copy these to the conf/ssl.crt and conf/ssl.key directories  of your Apache installation directory.

Save and restart Apache.

That’s it!

Set Up Name-Based Virtual Hosts In Apache

If your server has only one IP  (or even if you have many) and you want to host different websites you can use Apache’s name-based virtual hosts feature.

Setting up name-based virtual hosts is easy. First, open up httpd.conf found in the conf directory of your Apache installation directory.

First, you need to enable name-based virtual hosting. Make sure to uncomment the line that does this:

NameVirtualHost *:80

If your server has multiple IPs you can choose which IP will host name-based virtual hosts

NameVirtualHost 10.0.0.1:80

Now you can define different sites for every DNS name your server has. Just add the following for every name:

<VirtualHost 10.0.0.1:80>
   ServerAdmin [email protected]
   DocumentRoot /www/docs/www.example.com
   ServerName www.example.com
   ServerAlias www2.example.com www3.example.com
   ErrorLog logs/www.example.com-error_log
   CustomLog logs/www.example.com-access_log common
</VirtualHost>

ServerName is the required for the first DNS name. For additional DNS names corresponding to the same virtual host, you can use ServerAlias and add as many DNS names you want separated by spaces.

Don’t forget you can mix and match IPs and ports as in IP-based virtual hosts.

Save and restart Apache.

That’s it!

Set Up IP-Based Virtual Hosts In Apache

If your server has multiple IPs  and you want to host different website for each IP you can use Apache’s IP-based virtual hosts feature.

Setting up IP-based virtual hosts is easy. First, open up httpd.conf found in the conf directory of your Apache installation directory.

You need to register the IPs that you want Apache to listen on. After the line that says “Listen 80” add:

Listen 10.0.0.1:80
Listen 10.0.0.2:80

If you wish to host websites on ports other than port 80, let’s say 8080, you also need to register it as a port that Apache listens on.

Listen 8080

You can also listen to specific address and port combinations:

Listen 10.0.0.1:8081
Listen 10.0.0.2:8082

Normally, Apache will respond to requests with the default site as defined in httpd.conf. However, you can define different sites for every address and port combination defined in your listen directive. Just add the following for every combination:

<VirtualHost ip-address:port-number>
   ServerAdmin [email protected]
   DocumentRoot /www/docs/www.example.com
   ServerName www.example.com
   ErrorLog logs/www.example.com-error_log
   CustomLog logs/www.example.com-access_log common
</VirtualHost>

<VirtualHost *:80> means this virtual host will handle HTTP requests for any IP on port 80. This virtual host corresponds to “Listen 80”.

<VirtualHost 10.0.0.1:80> means this virtual host will handle HTTP requests for 10.0.0.1  on port 80. This virtual host corresponds to “Listen 10.0.0.1:80”.

<VirtualHost 10.0.0.2:80> means this virtual host will handle HTTP requests for 10.0.0.2  on port 80. This virtual host corresponds to “Listen 10.0.0.2:80”.

<VirtualHost 10.0.0.1:8081> means that this virtual host will handle HTTP requests for the IP address 10.0.0.1 on port 8081. This virtual host corresponds to “Listen 10.0.0.1:8081”.

<VirtualHost 10.0.0.2:8082> means that this virtual host will handle HTTP requests for the IP address 10.0.0.2 on port 8082. This virtual host corresponds to  “Listen 10.0.0.2:8082”.

Save and restart Apache.

That’s it!