Use Let’s Encrypt to secure Linux servers for free

A SSL web certificate is a way to secure your website by encrypting the communication between you and the computer a server is running on and be (almost) sure that what you see was not modified. You see that a communication is encrypted when you have a “https://” at the beginning of a website.

As an example, my website is secured as you see in the URL.

Let’s Encrypt is a free certificate provider.

Why should you secure your site?

  • Because it’s free with Let’s Encrypt! It was very expensive a few years ago, but now you can get a good certificate for free.
  • Because your site looks more serious when running on https://
  • Because you care about your visitors.
  • Because it’s easy 🙂 setting a SSL certificate was really hard a few years ago.
  • Because you will get a higher ranking on Google and other search engines.

How to secure it if you are just paying a hosting provider?

If you don’t manage your domain (what most people do), many providers provide a let’s encrypt certificate for free with just a few clicks!

As an example

How to secure your domain if you have a VPS or dedicated server?

This tutorial will focus on debian / ubuntu using apache2.

The first step is to install a virtual host running on http (out of the scope of this article). You should be able to access your website using http://www.yourdomain.ch

You then need to install certbot and python3-certbot-apache.

apt-get install certbot python3-certbot-apache

You can then easily create a https version of your domain running.

sudo certbot -tvv --apache -m you@yourmail.com --redirect --hsts --uir --reinstall -d www.yourdomain.ch

If you have multiple alias of the same domain.

sudo certbot -tvv --apache -m you@yourmail.com --redirect --hsts --uir --reinstall -d www.yourdomain.ch -d yourdomain.ch

I highly suggest to keep different domains separated! Run the same command on all of them and don’t use alias for domains that have different purposes.

And restart apache using

sudo service apache2 restart

Now when you write http://www.yourdomain.ch, you should be automatically forwarded to https://www.yourdomain.ch

The certificate are only valid 3 months… but it’s a good thing 🙂 You need to have a script to renew the certificate automatically.

Test that the “renew command” is working correctly.

sudo certbot renew

You should see something like: Cert not yet due for renewal.

Add a cron to the user root and add a line to update the certificate. The certificate is updated only if needed!

sudo crontab -e
34 02 * * * (certbot renew; service apache2 restart) &>>/tmp/certbot.log

Now your certificate is (should) setup correctly, and you don’t have to care about it anymore.