Tutorial: How to Create SSL for a Website on Ubuntu

Securing your website with SSL (Secure Socket Layer) certificates ensures encrypted communication between the server and the users. In this tutorial, you'll learn how to create and install SSL certificates on an Ubuntu-based server using Let's Encrypt and Certbot. Let's Encrypt provides free SSL certificates, and Certbot simplifies the process of obtaining and renewing them.

Prerequisites:

• A server running Ubuntu (18.04, 20.04, or newer).
• A domain name pointing to the server's public IP.
• Root or sudo user privileges.
• A web server such as Apache or Nginx installed.

Step 1: Update Your Server

Start by ensuring your server’s packages are up to date. Run the following commands:

sudo apt update
sudo apt upgrade

Step 2: Install Certbot and the Web Server Plugin

Certbot is the client tool that will manage SSL certificate generation for Let's Encrypt. Depending on your web server (Apache or Nginx), install Certbot and the appropriate plugin.

For Apache:

sudo apt install certbot python3-certbot-apache

For Nginx:

sudo apt install certbot python3-certbot-nginx

Step 3: Obtain the SSL Certificate

Once Certbot is installed, you can generate the SSL certificate for your domain. Certbot automatically obtains the certificate and configures your web server to use it.

For Apache:

Run the following command to obtain and automatically configure your Apache server to use the SSL certificate:

sudo certbot --apache

For Nginx:

Run the following command to obtain the certificate and automatically configure your Nginx server:

sudo certbot --nginx

You’ll be prompted to:

1. Enter your email address (for renewal notifications).
2. Agree to the terms of service.
3. Optionally allow or disallow Certbot to share your email with the EFF (Electronic Frontier Foundation).
4. Choose whether to redirect all HTTP traffic to HTTPS (recommended).

Once done, Certbot will automatically fetch the SSL certificate for your domain and configure your web server.

Step 4: Verifying SSL Configuration

After successfully obtaining and installing the SSL certificate, verify the configuration by checking your website:

1. Open your web browser and navigate to https://yourdomain.com.
2. Ensure there is a padlock in the address bar, indicating the SSL certificate is correctly installed and active.

Alternatively, you can use an SSL checker tool like [SSL Labs](https://www.ssllabs.com/ssltest/) to verify the validity of your SSL installation.

Step 5: Auto-Renewal Setup

Let's Encrypt certificates are valid for 90 days. Certbot sets up automatic renewal by default, but it’s good practice to manually test it to ensure it’s working:

sudo certbot renew --dry-run

If there are no errors, Certbot is successfully configured to automatically renew your certificates before they expire.

Step 6: Optional Configuration (for Nginx or Apache)

For Nginx:

If you want to ensure the strongest security for your SSL configuration, you can edit your Nginx configuration file. Open it with a text editor:

sudo nano /etc/nginx/sites-available/default

Add the following lines under your server block to enhance security:

ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384";
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:10m;
ssl_stapling on;
ssl_stapling_verify on;

Save the file and restart Nginx:

sudo systemctl restart nginx

For Apache:

Open your Apache SSL configuration file to further customize your SSL settings:

sudo nano /etc/apache2/sites-available/default-ssl.conf

Ensure that SSL settings match strong encryption standards:

SSLEngine on
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite HIGH:!aNULL:!MD5
SSLHonorCipherOrder on

Save the file and restart Apache:

sudo systemctl restart apache2

Step 7: Firewall Configuration (if applicable)

If you are using ufw (Uncomplicated Firewall), ensure HTTPS traffic is allowed:

sudo ufw allow 'Apache Full'  # For Apache
sudo ufw allow 'Nginx Full'   # For Nginx
sudo ufw enable

Conclusion

Congratulations! You’ve successfully created and installed an SSL certificate for your website on Ubuntu using Let's Encrypt and Certbot. Your website is now secured with HTTPS, ensuring safe communication between users and your server.