Skip to content

Instantly share code, notes, and snippets.

@deveedutta

deveedutta/SSL Certificate set up in Linux(Ubuntu).md

Created July 10, 2023 02:11
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save deveedutta/e2937e2487bb71aa3294ac90fcd315a0 to your computer and use it in GitHub Desktop.
Save deveedutta/e2937e2487bb71aa3294ac90fcd315a0 to your computer and use it in GitHub Desktop.
Download ZIP
SSL Certificate set up in Linux(Ubuntu)
Raw
SSL Certificate set up in Linux(Ubuntu).md

To set up an SSL certificate on Linux (Ubuntu), you can follow these general steps:

Obtain an SSL certificate:

  • You can either generate a self-signed certificate for testing purposes or purchase a certificate from a trusted certificate authority (CA).
  • If you choose to purchase a certificate, follow the CA's instructions for obtaining the certificate. Typically, you will need to provide them with a certificate signing request (CSR) generated on your server.

Install OpenSSL:

  • OpenSSL is a widely used cryptographic library that provides tools and libraries for SSL/TLS implementation.
  • It is usually pre-installed on Ubuntu
  • To ensure, run the following command:
sudo apt update
sudo apt install openssl

Generate a private key and certificate signing request (CSR):

  • If you're using a self-signed certificate, generate a private key and CSR using the following command, replace your_domain with your actual domain name.
openssl req -newkey rsa:2048 -nodes -keyout your_domain.key -out your_domain.csr
  • If you've purchased a certificate, refer to the CA's documentation for instructions on generating a CSR.

Submit the CSR to the certificate authority (if applicable):

  • If you've purchased a certificate, submit the generated CSR to the CA following their instructions.
  • They will provide you with the SSL certificate once the request is approved.
  • Configure your web server to use the SSL certificate:
  • Assuming you're using Apache as your web server, enable the SSL module if it's not already enabled:
sudo a2enmod ssl
  • Copy the SSL certificate files to a secure location on your server.
  • For example, you can create a directory called /etc/ssl/private to store the private key and certificate files:
sudo mkdir /etc/ssl/private
sudo cp your_domain.key /etc/ssl/private/
sudo cp your_domain.crt /etc/ssl/private/

Install your server and enable 80 and 443 port

  • We will install apache for example:
  • Then, we will open port 80 for HTTP and port 443 for HTTPS
  • We can keep rest of the Ports blocked
sudo apt update
sudo apt install apache2
  • Configure the firewall settings on your Linux system to enable port 80 (HTTP) and port 443 (HTTPS) while disabling the rest of the ports.
  • On Ubuntu, you need to have ufw (Uncomplicated Firewall) installed
  • Check the current status of ufw by running: sudo ufw status
  • If ufw is not already enabled, enable it with: sudo ufw enable
  • Allow incoming traffic on port 80: sudo ufw allow 80
  • Allow incoming traffic on port 443: sudo ufw allow 443
  • Ports 80 and 443, which are used for HTTP and HTTPS respectively
  • Deny incoming traffic on all other ports:
sudo ufw deny from any to any port 1:79
sudo ufw deny from any to any port 81:442
sudo ufw deny from any to any port 444:65535
  • Verify the updated firewall rules by running: sudo ufw status
  • The output should show that ports 80 and 443 are allowed, while the rest of the ports are denied.
  • Restart your web server (e.g., Apache) to apply the changes: sudo service apache2 restart
  • Make sure to adapt the instructions if you're using a different firewall management tool or Linux distribution.

SnapD

  • snapd is the package management system and tooling for snap packages for Ubuntu system
  • Snap packages are self-contained software packages that can be installed and managed independently of the underlying system.
sudo apt install snapd
sudo snap install core; sudo snap refresh core
  • Next, we install the core snap package and ensure it is up to date.
  • The core package provides the basic runtime environment for running snap packages.
certbot
  • Next, set up the necessary tools and dependencies for using certbot.
  • certbot is a popular tool for managing SSL certificates, on your Ubuntu system.
sudo snap install --classic certbot
  • Install the certbot snap package, which is a tool for automating the process of obtaining and renewing SSL certificates from Let's Encrypt, a free certificate authority.
  • The --classic option allows the snap package to access files outside its confined environment, as certbot requires access to system files and directories.
sudo ln -s /snap/bin/certbot /usr/bin/certbot
  • Create a symbolic link (ln -s) from the /snap/bin/certbot executable to /usr/bin/certbot.
  • By creating this sym link, the certbot command becomes accessible system-wide, allowing you to run certbot from any location without specifying the full path.
Use the Certbot tool to automatically configure SSL certificates for an Apache web server.
sudo certbot --apache
  • Certbot detects the Apache web server configuration on your system and identifies the virtual hosts configured within Apache.
  • Certbot prompts you to select the specific virtual host(s) for which you want to obtain and install SSL certificates.
  • Once you've selected the virtual host(s), Certbot communicates with the Let's Encrypt CA and performs the necessary authentication steps to prove that you own the domain(s) for which you are requesting the SSL certificates.
  • If the authentication process is successful, Certbot retrieves the SSL certificates from Let's Encrypt and automatically updates the Apache configuration for the selected virtual host(s) to enable HTTPS (HTTP over SSL/TLS) connections.
  • Certbot also sets up an automated renewal process for the SSL certificates. It creates a cron job that runs twice daily to check for certificate expiration and automatically renews them when necessary.
  • By running sudo certbot --apache, you can obtain and install SSL certificates for your Apache web server in a convenient and automated manner, greatly simplifying the process of enabling HTTPS on your website.

Next, you will have to add values to these

Enter email address for urgent renewal: yourmail@gmail.com
Read terms and conditions: Yes
Would you be willing once your first certificate is successful. ...... : No
Select your domain: 1(select option)
Deploying certificate successful

Configure your virtual host to use the SSL certificate

  • Open the virtual host configuration file e.g. /etc/apache2/sites-available/your_domain.conf
  • Add the following lines inside the relevant <VirtualHost> section:
<VirtualHost *:443>
    ServerName your_domain.com
    SSLEngine on
    ServerName your_domain
    ServerAlias www.your_domain.com
    DocumentRoot /your document root path
    SSLCertificateFile /etc/ssl/private/your_domain.crt
    SSLCertificateKeyFile /etc/ssl/private/your_domain.key
</VirtualHost>

  • The ServerAlias directive is used to specify additional domain names (aliases) for the virtual host.

  • It should include the "www" subdomain as well.

  • Therefore, the line should be ServerAlias www.your_domain.com

  • The DocumentRoot directive should contain the actual path to the document root directory of your website.

  • In the configuration provided, /your document root path is a placeholder.

  • Replace that with the correct path, such as /var/www/your_domain.com

Restart your web server:

  • After making changes to the configuration, restart Apache to apply the new settings:
sudo service apache2 restart
  • Your web server should now be configured to use the SSL certificate.
  • Ensure that your DNS records are properly configured to point to your server's IP address
  • You should be able to access your website securely using https://your_domain.com
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment