How to setup FREE HTTPS for your website -- including a free CA certificate

**GET YOUR SETTINGS REVIEWED BY AN EXPERT BEFORE YOU GO LIVE**


You will find a lot of information in bits and pieces all over the Internet, too much technical jargon peppered all over. If you do not know how https works, do not worry. It is not hard to setup https. Lets say the https setup encrypts stuff between browser and the website and move on to set up https for your website. The keys are a couple of files needed to encrypt your website and these keys need to be signed by CA or the certificate authority in order for browsers to recognise that traffic is properly encrypted. I will use nginx web server and centos7 operating system to show how https can be setup. If you use a different webserver like apache or os like ubuntu look up corresponding instructions elsewhere. So here go the steps:

1. Get a free CA signed certificate
2. Update your web server to use the certificates and enable https
3. Setup certificate renewal and optimize and secure your https website

1. Get a free CA signed certificate
Yes! you can get free CA certificate which is valid for 90 days and setup auto renewal. You can get the certificate here or even better use a tool to validate your domain and copy keys to your host.

So you can use this which generates the letsencrypt key for you https://www.sslforfree.com/ or you can use:
sudo yum install certbot
certbot certonly --webroot -w /usr/share/nginx/html -d example.com -d www.example.com

where /usr/share/nginx/html is the folder where your website sits. If your website is in a different folder change all occurrence of /usr/share/nginx/html with the correct folder path. example.com id your website name.


You may endup with a host validation error. This could be because your server isnt setup to allow access to some folders that certbot requires. Add the following to /etc/nginx/nginx.conf file after (below) existing "location / {}"

location ^~ /.well-known/acme-challenge/ {
     default_type "text/plain";
     root /usr/share/nginx/html;
}

You may have to create /usr/share/nginx/html/.well-known/acme-challenge


Then do the following to load new settings and rerun certbot command above (with your changes). 
nginx -s reload 

The output will be bunch of files:
[root@li851-111 nginx]# ls /etc/letsencrypt/live/example.com
cert.pem  chain.pem  fullchain.pem  privkey.pem 


Now you have the CA certified files. 

2. Update your web server to use the certificates and enable HTTPS
Now that you have the certificates, you can start enabling https for your website. Uncomment the TLS section of the /etc/nginx/nginx.conf after the line: # Settings for a TLS enabled server.

The setting looks something similar to below: you should add your key path to ssl_certificate and ssl_certificate_key

# Settings for a TLS enabled server.
    server {


        listen       443 ssl http2 default_server;
        listen       [::]:443 ssl http2 default_server;
        server_name  _;
        root         /usr/share/nginx/html;


           ssl on;         
ssl_certificate "/etc/letsencrypt/live/example.com/cert.pem";
        ssl_certificate_key "/etc/letsencrypt/live/example.com/privkey.pem";
        ssl_session_cache shared:SSL:20m;
        ssl_session_timeout  120m;
        ssl_ciphers HIGH:!aNULL:!MD5;
        ssl_prefer_server_ciphers on;


        # Load configuration files for the default server block.
        include /etc/nginx/default.d/*.conf;


        location / {
        }


        error_page 404 /404.html;
            location = /40x.html {
        }


        error_page 500 502 503 504 /50x.html;


            location = /50x.html {
        }
    }

Then reload the web server: nginx -s reload

3. Setup certificate renewal and optimize and secure your https website
The certbot tool can request a renewal. So all we need to do is to setup a cron job to request renewal every 3 months (90 days) as letsencrypt certificates expire after 90 days.  You can replace 13 in below command by current date -1 so the renew happens on 89th day. 


certbot 0 0 13 * * certbot renew --quiet renew


Now follow the steps here to either optimize redirect http to https or disable it: https://bjornjohansen.no/redirect-to-https-with-nginx and https://bjornjohansen.no/optimizing-https-nginx


Now try https://example.com

References:
  1. https://certbot.eff.org/#centosrhel7-nginx
  2. https://community.letsencrypt.org/t/how-to-nginx-configuration-to-enable-acme-challenge-support-on-all-http-virtual-hosts/5622
  3. https://www.nginx.com/blog/nginx-https-101-ssl-basics-getting-started/
  4. https://www.digicert.com/ssl-certificate-installation-nginx.htm
  5. https://bjornjohansen.no/optimizing-https-nginx
  6. https://letsencrypt.org/

Comments

Popular posts from this blog

Pageant for Mac - Using Jump Server on Mac

How to find the public IP of your linux node without using an external DNS server