Installing Free SSL on Apache Webserver

Disclaimer: I haven’t learnt much about HTTPS so there may be some misused terms here and there.

My personal website has been up on my DigitalOcean server for about a year now. I access the website almost everyday to update my expense manager. However, I never installed SSL on the server so all of my financial activities have been going around and back in plain texts!

So I decided to secure and authenticate my server using HTTPS. However, most of trusted SSL certificate which are signed by Certificate Authority (CA) are not free (this is one of the reason I hadn’t installed any SSL certificate up until just earlier).

Then I discovered Let’s Encrypt, a free, automated, and open CA. They had me at “free, automated”.

So I started setting up my server to adopt the certificate. My website is Ruby (2.3.0) on Rails (4.2.6) on Passenger (5.0.29) on Apache (2.4.7) on Ubuntu (14.04 32 bit) (phew). First, clone Let’s Encrypt from GitHub (OPEN!).

sudo git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt && cd /opt/letsencrypt

Then the automatic part. This command will create a new certificate for the domain you provided and set up Apache automatically.

./letsencrypt-auto --apache -d YOURDOMAIN.COM -d ALIAS.YOURDOMAIN.COM -d SUB.YOURDOMAIN.COM

You can add multiple domains/aliases/subdomains. I haven’t tried, but you probably can just use *.YOURDOMAIN.COM for that. I ran the command for araishikeiwai.com, www.araishikeiwai.com, and blog.araishikeiwai.com. After that, you’ll be asked to provide an email address (you know, just in case) and choose whether you still allow HTTP or force all traffics to be HTTPS. For me, it didn’t matter because I ended up changing the Apache config file later.

The command above will create a new Apache configuration file in /etc/apache2/sites-available/000-default-le-ssl.conf (I forgot the exact filename, something like that). However, because I already set up Apache to use my own configuration file, I had to modify it to adapt the certificate.

I think it’s best to redirect all your traffics to HTTPS (as long as there’s no need to have HTTP connections). So, I modified my conf file by changing the virtual host port from 80 to 443. This way, the HTTPS requests will connect to the previously set up virtual host. However, HTTP requests need to be redirected. So I added new virtual host:

<VirtualHost *:80>
ServerName araishikeiwai.com
ServerAlias www.araishikeiwai.com
Redirect permanent / https://araishikeiwai.com/
</VirtualHost>

Finished. Every request to my website will be in HTTPS. But wait… No SSL certificate had been installed yet, because Let’s Encrypt put it in another configuration file. So, I opened up that configuration file and copied some of the contents to my configuration file. Here are the lines that I copied:

SSLCertificateFile CERT_LOCATION
SSLCertificateKeyFile PRIVATE_KEY_LOCATION
SSLCertificateChainFile CHAIN_FILE_LOCATION

And I added

SSLEngine on

Before those lines.

I did the same (redirection and ssl copy) to the other virtual host for blog.araishikeiwai.com.

After finishing setting up the configuration file, then I set up Apache to use it back (because Let’s Encrypt made it use the auto-generated configuration file). I also made sure to enable SSL mod too.

sudo a2enmod ssl
sudo a2dissite 000-default-le-ssl.conf
sudo a2ensite MY_CONF_FILE_NAME.conf
sudo service apache2 restart

FINISHED. However, note that Let’s Encrypt certificate expires within 90 days. Way out of this is to renew the certificate regularly (of course, before the expiry date). This can be done automatically using cron job (which I will write in this blog if I have the time some time in the future).

 

Sources:

  1. https://www.digitalocean.com/community/tutorials/how-to-secure-apache-with-let-s-encrypt-on-ubuntu-16-04
  2. https://www.digitalocean.com/community/tutorials/how-to-deploy-a-rails-app-with-passenger-and-apache-on-ubuntu-14-04