How To Secure Your Web Application With Let's Encrypt Open SSL

Technology Reads Mar 15, 2020

Excerpt

In the last few years, Let's Encrypt open-source certificate has become the goto option to encrypt your website communication with your server on the internet.

Who is Let's Encrypt?

Let's Encrypt is the non-profit organization and part of the Internet Security Research Group (ISRG).

It's effortless to secure your web app with Let's encrypt open SSL; they have developed an end-to-end solution that is free and automated most of the aspects related to managing the SSL security certificate.

Usual difficulties involved with buying and hosting certificates from private certificate providers are replaced with the installation of few applications and executing commands in the server.

From issuing and renewing certificate to encrypting website traffics on the internet is managed by Let's Encrypt, and all these services are coming free of cost.

As of Feb 2020, Let's Encrypt has issued more than a billion certificates. And as an open-source certificate authority providing and protecting encrypted internet traffics for more than 170 million websites.

Existing Set up Required

  1. Virtual server with any one of your favorite Linux distribution installed.
  2. Make sure initial server setups completed — from enabling the UFW firewall and the creation of regular users, etc.
  3. Nginx installed and necessary configuration completed — including profile registration with the UFW firewall for HTTP and SSL access.
  4. Your domain name registered and name server set up in place to process DNS lookup. And, with cloud hosting or domain registrant, you have configured A record - which is pointing to the above virtual server.

With that, if you access domain name in the browser, then the existing set up must process the request through your server.

How To Secure Your Web Application With Let's Encrypt Open SSL - renttheant.com

How to install an SSL certificate for the Ubuntu Linux server with Nginx plugin?

Before we go ahead and install this certificate for our domain, few things need our attention in the Nginx reverse proxy setup.

This configuration necessary because we are going to ask for a certificate specific to individual domains and even will install the separate certificate for any subdomain if you have one in the web application.

Hence, You must address this below list of set up first.

  1. Create Nginx Server Block for your domain and make sure the server_name directive is pointing to the domain for which you are trying to enable SSL.
  2. Enable Nginx to process HTTPS through the UFW firewall.
  3. Install CertBot - and this is the software through which the certificate requested and renewed from Let's Encrypt.
  4. Validate CertBot auto-renewal

How to enable Nginx Server Block configuration for domain?

This Nginx is a critical configuration because Certbot must be able to find the correct Server Block file with a server_name directive pointing to the proper domain name.

If you don't have domain-specific file configured in /etc/nginx/site-available/mydomain.com

Then, you can do them with the following commands.

$ sudo cp  /etc/nginx/site-available/default     /etc/nginx/mydomain.com

$ sudo nano /etc/nginx/mydomain.com

Update listen, root (if required), server_name directives, and save them.

In the end, your update file must look something like this.

    server {
    	listen 80 ;
    	listen [::]:80 ;

    	root /var/www/html;
    	index index.html index.htm index.nginx-debian.html;

    	server_name mydomain.com www.mydomain.com;

    	location / {
            try_files $uri $uri/ =404;
    	}
    }

Now, you have Nginx file available in /etc/nginx/site-available directory folder. Test and reload Nginx configuration

$ sudo nginx -t

$ sudo systemctl  reload nginx

With this setup, laterCertbot can find the Server Block and modify the configuration to enable https processing.

How to enable UFW Firewall to allow HTTPS traffics?

You can check the app available with UFW at the moment. For that, execute this below command and check the Nginx service is already registered.

$ sudo  app  list

Output like this below.

Available applications:

Nginx Full
Nginx HTTP
Nginx HTTPS
OpenSSH

Then, these services are available to enable access with firewalls If not already activated.

To check the current status, execute the below command.

$ sudo ufw status

Assuming that HTTPS traffic is not already enabled, output print may look like this.

Status: active

To                  Action        From

OpenSSH             ALLOW       Anywhere
OpenSSH (v6)        ALLOW       Anywhere (v6)
Nginx HTTP          ALLOW       Anywhere

So, to allow HTTPS traffic, we can use Nginx Full service and remove the Nginx HTTP from the firewall configuration.

You can accomplish that with these two commands.

$  sudo ufw allow 'Nginx Full'

$  sudo ufw delete allow 'Nginx HTTP'

Just to make sure that everything configured as required, recheck the status.

$ sudo ufw status

The output should print like this.

Status: active

To                  Action        From

OpenSSH             ALLOW       Anywhere
OpenSSH (v6)        ALLOW       Anywhere (v6)
Nginx HTTP          ALLOW       Anywhere
Nginx HTTPS (v6)    ALLOW       Anywhere (v6)

How to install Certbot in the Ubuntu Linux server?

Let's Encrypt certificate can be installed in a variety of ways. Since we are using the Ubuntu Linux OS and Nginx, Need Nginx plugin also to be installed along with Certbot.

These two commands will do just that.

$ sudo add-apt-repository ppa:certbot/certbot
$ sudo apt install python-certbot-nginx

With these steps completed, we have all the packages and needed configuration in place to proceed with requesting SSL.

How to install an open SSL certificate in Ubuntu Linux?

With the single command using Certbot, we can request an SSL certificate with Let's Encrypt server and complete all the initial configuration through the command-line interface.

Execute this command to start the process

$  sudo certbot --nginx -d  mydomain.com -d  www.mydomain.com

There will be prompts in the editor for you to provide some personal information to associate with your certificate - like email address, location details, and name, etc. and also ask to choose some config options to use in the installation.

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.

1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this fornew sites, or if you're confident your site works on HTTPS. You can undo thischange by editing your web server's configuration.

Select the appropriate number [1-2] then [enter] (press 'c' to cancel):

Provide all the necessary information and press ENTER until the end.

Validate Auto-renewal

Let's Encrypt certificate has a validity period. And we have to renew this certificate before expiry to enable HTTPS traffic with our website continuously.

Certbot package has the automated solution available, and this feature is, by default, enabled upon installation. You can validate that status by running this command.

$ sudo certbot renew --dry-run

This auto-renewal scheduled to run as CRON job within Certbot. And request a certificate and reload Nginx configuration upon renewal to keep it active.

In the case of any issue with your certificate, Let's Encrypt will use the email used during configuration to notify you about the problem.

Inner Voice

I am "Rent The Ant" Inner Voice. The collective voice of our team both in-house and partners.