Adding SSL/TLS with CertBot

Security is essential for the modern internet. In order to ensure connections stay secure across the information superhighway, it’s a good idea to implement SSL/TLS on your web servers—even when they’re only serving mundane musings like this blog.

Secured connections require a certificate, which needs to be issued by a trusted third-party certificate authority (CA). This used to be costly and slow and required a great deal of manual jiggery-pokery. However, thanks to Let’s Encrypt, a free automated CA, obtaining certificates for SSL/TLS is now very easy indeed.

With that in mind, let me walk you through activating SSL/TLS for your web server using CertBot, an automated tool that will implement SSL and regularly update the required certificates via Let’s Encrypt.

Certificates

The SSL/TLS certificate verifies and creates secure sessions between client and server over the SSL protocol. This secure connection cannot be established without the certificate, which digitally connects company information to a cryptographic key. Certificates are issued by a Certificate Authority, who certify ownership usually through payment and then a further validation process against the domain in question. However, these days there is a better option.

Let’s Encrypt

Let’s Encrypt is a free, automated, and open [certificate authority, run for the public’s benefit. It is a service provided by the Internet Security Research Group (ISRG), [and they issue certificates for free simply because they believe in a more [secure internet for everyone.

It’s worth noting that Let’s Encrypt only issue Domain Validation (DV) certificates, and not the more secure Organisation Validation (OV) or Extended Validation (EV) certs as issuance is more complicated for these. Be sure to understand the difference between these certificate types because you may well do better implementing the alternatives for more trust in your business. There’s a good explanation of the differences between certificates over at SSL.com. There’s also a great explanation of how Let’s Encrypt works over on their site, so I won’t waste too much time on it here. In short, by making the issue of DV certificates free, the ISRG have made the entire process of implementing SSL/TLS on your servers almost painless.

Certbot

Certbot is an easy-to-use automatic client for Let’s [Encrypt that fetches and deploys SSL/TLS certificates for your webserver. If [you’ve ever undertaken the manual struggle of certificate management, Certbot [will be a breath of fresh air.

As a workflow, you simply install Certbot on your server, run through a short configuration process to identify the sites you wish to turn SSL/TLS on for, and then it will do all the hard work requesting certificates, installing them, setting up your webserver configuration, and restarting the hosts. It’ll even create redirects from HTTP to HTTPS if you want them. What’s more, it’ll keep an eye on your certificates and update them when the time comes, so you almost never have to think about it again.

Installation and configuration

If you refer to the Certbot documentation, they have walkthroughs for common cross-sections of webservers and hosts. In my case, I was working with Ubuntu Bionic and Nginx:

$ sudo apt-get update
$ sudo apt-get install software-properties-common
$ sudo add-apt-repository ppa:certbot/certbot
$ sudo apt-get update $ sudo apt-get install python-certbot-nginx

This got Certbot installed on the host, and then all I needed to do was kick-off the configuration process for Nginx:

$ sudo certbot --nginx

Certbot will then ask which sites you want to activate SSL/TLS for in your Nginx configuration, will reach out to Let’s Encrypt to get certificates and install them, update your Nginx configuration, and restart the Nginx service.

If you’re a little more precious about your Nginx configuration files, Certbot can be directed to only obtain certificates with the following command:

$ sudo certbot --nginx certonly

Obviously, you’ll then need to update your Nginx configuration yourself.

At this point you have successfully set-up your site(s) for SSL/TLS and can happily go about your day, safe in the knowledge your users’ connections are encrypted.

Automatic Renewal

The Certbot packages also installs a cron job that will renew your certificates automatically before they expire. This is a great feature because Let’s Encrypt certificates last for only 90 days.

You can test automatic renewal for your certificates by running this command:

$ sudo certbot renew --dry-run

Wildcards

It’s also possible to have Certbot obtain a wildcard certificate that will also cover all subdomains for your domain. However, this requires installation of DNS plugins and use of their ACMEv2 server. You can find information about how to do all this in the excellent Certbot documentation.

Summary

As you can see, going the extra mile for your users and encrypting their connections is actually pretty painless when you adopt Certbot and Let’s Encrypt. Hopefully this short post will help a few folks get over the fear of implementing SSL/TLS, and help to ensure more of the web is secure!