DEV Community

Arman Hasan
Arman Hasan

Posted on

Install free TLS/SSL certificate on Ubuntu 20.04

Introduction
Prerequisites
Server Login
Installing Certbot
Auto-Renewal Certbot

Introduction

TLS/SSL is the standard security technology that works behind the scenes invisibly to the end-user devices to make a secure connection. It creates a protected connection between the user-end and the server-end and authenticates the user’s information to legitimate website owners.

In this guide, we’ll enable encrypted HTTPS on web servers to simplify the process by providing a secure connection. The entire process we’ll use Certbot to install a free SSL certificate for NGINX on Ubuntu 20.04 with an auto-renewal process.

Prerequisites

To stick with this guide, you need:

Server Login

To get a free SSL certificate we need to install Certbot on the server to configure HTTPS with the domain name. Firstly log into the domain IP Address with ssh keys if you don’t know how to configure the SSH key setup then you can follow this
How To Set Up SSH Keys might help you to understand the secure shell connection. Open the terminal and write the following command

ssh -i here put your ssh key location host_name@vlaue
Enter fullscreen mode Exit fullscreen mode

example

ssh -i /home/.ssh/ cheems@199.180.130.80
Enter fullscreen mode Exit fullscreen mode

Assume my server name: cheems and value is 199.180.130.80

Installing Certbot

To get an SSL certificate on the domain we’ll need to install the Certbot by hitting a simple command on the terminal to make sure you are logged in the server. Then run this command

sudo snap install --classic certbot
Enter fullscreen mode Exit fullscreen mode

This command will install the certbot program in the server now need to execute this command

sudo certbot --nginx
Enter fullscreen mode Exit fullscreen mode

After hitting this you will see those outputs

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: cheems
2: www.cheems
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):
Enter fullscreen mode Exit fullscreen mode

You can select multiple domain by adding a space between numbers like 1 2 and then hit enter
Then you’ll see outputs like this

Obtaining a new certificate
Performing the following challenges:
http-01 challenge for cheems
http-01 challenge for www.cheems
Enabled Apache rewrite module
Waiting for verification...
Cleaning up challenges
Created an SSL vhost at /etc/apache2/sites-available/cheems-le-ssl.conf
Enabled Apache socache_shmcb module
Enabled Apache ssl module
Deploying Certificate to VirtualHost /etc/apache2/sites-available/cheems-le-ssl.conf
Enabling available site: /etc/apache2/sites-available/cheems-le-ssl.conf
Deploying Certificate to VirtualHost /etc/apache2/sites-available/cheems-le-ssl.conf
Enter fullscreen mode Exit fullscreen mode

Now next part is the redirection setup. When a request comes into your domain will automatically redirect to the HTTPS address of your domain address. So Always select 2 to enable this redirection setup

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2

Enter fullscreen mode Exit fullscreen mode

After this, the installation and the setup configuration is done and it’ll show an output like this

Congratulations! You have successfully enabled https://cheems and
https://www.cheems

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=cheems
https://www.ssllabs.com/ssltest/analyze.html?d=www.cheems
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/cheems/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/cheems/privkey.pem
   Your cert will expire on 2022-01-25. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot again
   with the "certonly" option. To non-interactively renew *all* of
   your certificates, run "certbot renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Enter fullscreen mode Exit fullscreen mode

Congratulations if you are still up and running to install and configure but this free version of SSL is only valid for three months so it’s a huge pain to remember when will the HTTPS certificate expire. No worries there’s a way to make this automatic procedure to reinstall the certificate and renew it before the expiry date.

Auto-Renewal Certbot

To make the process in an automatic manner just write down this command

sudo systemctl status certbot.timer
Enter fullscreen mode Exit fullscreen mode

This command will run the certbot scripts twice a day and will automatically renew any SSL certificate. You will see this kind of output

 certbot.timer - Run certbot twice daily
     Loaded: loaded (/lib/systemd/system/certbot.timer; enabled; vendor preset: enabled)
     Active: active (waiting) since Tue 2022-01-25 17:57:48 UTC; 17h ago
    Trigger: Wed 2022-01-25 23:50:31 UTC; 12h left
   Triggers:  certbot.service

Mar 25 17:57:48 fine-turtle systemd[1]: Started Run certbot twice daily.

Enter fullscreen mode Exit fullscreen mode

Now to test the renewal process simply just hit this line

sudo certbot renew --dry-run
Enter fullscreen mode Exit fullscreen mode

If theres no error then all set and ready to go.

Top comments (0)