How To

How to Enable SSL with Let’s Encrypt on Linux: Configuring Apache and Nginx

Secure Sockets Layer (SSL), now largely superseded by Transport Layer Security (TLS), is used to secure connections between web servers and browsers. This ensures that all data passed between the two systems remains private and secure. Let’s Encrypt is a free, automated, and open Certificate Authority that provides SSL/TLS certificates. This guide will illustrate how to enable SSL with Let’s Encrypt on Linux and configure Apache and Nginx web servers.

Before we start, you should have:

A Linux server running Ubuntu or Debian.
Root or sudo access to the server.
Either Apache or Nginx installed.
A Fully Qualified Domain Name (FQDN) pointed at your server.

Step 1: Installing Certbot

Certbot is the software client used to install Let’s Encrypt SSL certificates. Install it using the package manager. For Ubuntu or Debian-based systems:

sudo apt-get update & sudo apt-get install certbot

Step 2: Obtaining an SSL Certificate

Once Certbot is installed, you can obtain an SSL certificate. This differs slightly depending on whether you’re using Apache or Nginx.

For Apache:
sudo certbot --apache -d -d

For Nginx:
sudo certbot --nginx -d -d

Replace with your actual domain name. The -d flag is used to specify the domain names you want the certificate to be valid for. Certbot will take care of the rest, obtaining a certificate and configuring your web server to use it.

Step 3: Verifying the SSL Certificate

To verify that the SSL certificate is working correctly, navigate to your domain in a web browser, using https:// at the start of the URL. You should see a lock icon next to the URL, indicating that the site is secure.
Step 4: Setting up Auto-Renewal

Let’s Encrypt certificates expire after 90 days, but Certbot includes a script to auto-renew certificates. To test that auto-renewal works, you can use:

sudo certbot renew --dry-run

If the test is successful, you can set up auto-renewal by adding a cron job. Open the cron tab file:

sudo crontab -e

Add the following line to the file:

0 2 * * * /usr/bin/certbot renew --quiet

This will attempt to renew the certificate at 2 am, every day. If the certificate is due for renewal (less than 30 days to expiry), it will be renewed.

Congratulations! You have now enabled SSL with Let’s Encrypt on your Linux server and configured either Apache or Nginx to use the SSL certificate. Remember to verify the SSL certificate and setup auto-renewal to ensure continuous secure connections.