Disclaimer: I haven’t learnt much about HTTPS so there may be some misused terms here and there.
My personal website has been up on my DigitalOcean server for about a year now. I access the website almost everyday to update my expense manager. However, I never installed SSL on the server so all of my financial activities have been going around and back in plain texts!
So I decided to secure and authenticate my server using HTTPS. However, most of trusted SSL certificate which are signed by Certificate Authority (CA) are not free (this is one of the reason I hadn’t installed any SSL certificate up until just earlier).
Then I discovered Let’s Encrypt, a free, automated, and open CA. They had me at “free, automated”.
So I started setting up my server to adopt the certificate. My website is Ruby (2.3.0) on Rails (4.2.6) on Passenger (5.0.29) on Apache (2.4.7) on Ubuntu (14.04 32 bit) (phew). First, clone Let’s Encrypt from GitHub (OPEN!).
sudo git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt && cd /opt/letsencrypt
Then the automatic part. This command will create a new certificate for the domain you provided and set up Apache automatically.
./letsencrypt-auto --apache -d YOURDOMAIN.COM -d ALIAS.YOURDOMAIN.COM -d SUB.YOURDOMAIN.COM
You can add multiple domains/aliases/subdomains. I haven’t tried, but you probably can just use *.YOURDOMAIN.COM for that. I ran the command for araishikeiwai.com, www.araishikeiwai.com, and blog.araishikeiwai.com. After that, you’ll be asked to provide an email address (you know, just in case) and choose whether you still allow HTTP or force all traffics to be HTTPS. For me, it didn’t matter because I ended up changing the Apache config file later.
The command above will create a new Apache configuration file in /etc/apache2/sites-available/000-default-le-ssl.conf (I forgot the exact filename, something like that). However, because I already set up Apache to use my own configuration file, I had to modify it to adapt the certificate.
I think it’s best to redirect all your traffics to HTTPS (as long as there’s no need to have HTTP connections). So, I modified my conf file by changing the virtual host port from 80 to 443. This way, the HTTPS requests will connect to the previously set up virtual host. However, HTTP requests need to be redirected. So I added new virtual host:
<VirtualHost *:80> ServerName araishikeiwai.com ServerAlias www.araishikeiwai.com Redirect permanent / https://araishikeiwai.com/ </VirtualHost>
Finished. Every request to my website will be in HTTPS. But wait… No SSL certificate had been installed yet, because Let’s Encrypt put it in another configuration file. So, I opened up that configuration file and copied some of the contents to my configuration file. Here are the lines that I copied:
SSLCertificateFile CERT_LOCATION SSLCertificateKeyFile PRIVATE_KEY_LOCATION SSLCertificateChainFile CHAIN_FILE_LOCATION
And I added
SSLEngine on
Before those lines.
I did the same (redirection and ssl copy) to the other virtual host for blog.araishikeiwai.com.
After finishing setting up the configuration file, then I set up Apache to use it back (because Let’s Encrypt made it use the auto-generated configuration file). I also made sure to enable SSL mod too.
sudo a2enmod ssl sudo a2dissite 000-default-le-ssl.conf sudo a2ensite MY_CONF_FILE_NAME.conf sudo service apache2 restart
FINISHED. However, note that Let’s Encrypt certificate expires within 90 days. Way out of this is to renew the certificate regularly (of course, before the expiry date). This can be done automatically using cron job (which I will write in this blog if I have the time some time in the future).
Sources:
- https://www.digitalocean.com/community/tutorials/how-to-secure-apache-with-let-s-encrypt-on-ubuntu-16-04
- https://www.digitalocean.com/community/tutorials/how-to-deploy-a-rails-app-with-passenger-and-apache-on-ubuntu-14-04