How to Secure Nginx and Apache using Let’s Encrypt

nginx-secure-


Reading Time: 8 mins.

 

Overview:

In an era of data breaches and cyber attacks, it is crucial to safeguard your website from hackers and fraudsters. One of the most recommended and standard ways to protect your site is through Secure Sockets Layer (SSL) – an encryption-based internet security protocol for ensuring data integrity. Obviously, the demand for offering the vital SSL/TLS certificates has seen tremendous growth, in both paid and open-source categories. In such a queue, Let’s Encrypt is the go-to option for many when it comes to a free and open-source certificate authority. 
This article will walk you through the how-to of securing Nginx and Apache web server with Let’s Encrypt on Ubuntu 18.04.

 

Pre-requisites:

 

Installing SSL certificate for Nginx and Apache on Ubuntu 18.04

As it is important to use the advanced Certbot packages, let’s use the Ubuntu software repository maintained by the Certbot developers instead of the one provided by the Ubuntu team (as it may be outdated).  

 

Step 1: Installing Certbot in Nginx

Include the repository as follows, 

sudo add-apt-repository ppa:certbot/certbot
 

Next, to install Certbot Nginx package, use the command,

sudo apt install python-certbot-nginx
 

Enabling Firewall rules

Here, you need to adjust the firewall rules in order to allow the HTTPS traffic. Upon the installation of Nginx, you might have enabled a few profiles, to check-in those settings, type, 

 
sudo ufw app list
 

Output

Available applications:
  CUPS
  Nginx Full
  Nginx HTTP
  Nginx HTTPS
  OpenSSH
 

Now, to allow HTTPS, type the following, 

 
sudo ufw allow 'Nginx Full' 
sudo ufw status
 

Output

Status: active
To                     Action        From
--                     ------       ------
OpenSSH                ALLOW       Anywhere
Nginx Full             ALLOW       Anywhere
OpenSSH (v6)           ALLOW       Anywhere (v6)
Nginx Full (v6)        ALLOW       Anywhere (v6)
 

Step 2: Installing Certbot in Apache

The same outdated concern applies to the Apache webserver too. Instead of the Apache packages from Ubuntu, let’s use the  Ubuntu-Apache repository from Certbot. 

 
sudo add-apt-repository ppa:certbot/certbot
 

Install the Certbot Apache packages using the command,

 
sudo apt install python-certbot-apache
 

Enabling Firewall rules

Post the installation of Apache packages, you need to configure the firewall rules to allow HTTPS traffic to the webserver. Nevertheless, Apache comes with some profiles, to view the existing setting, type,

 
sudo ufw app list
 
Available applications:
  Apache
  Apache Full
  Apache Secure
  OpenSSH
 

Now, type the following command to let in the HTTPS traffic. 

 
sudo ufw allow 'Apache Full'
sudo ufw status
 

Output

Status: active
To                   Action       From
--                  ------        ------
OpenSSH              ALLOW       Anywhere                  
Apache Full          ALLOW       Anywhere                  
OpenSSH (v6)         ALLOW       Anywhere (v6)             
Apache Full (v6)     ALLOW       Anywhere (v6)
 

Step 3: Installation of SSL certificate in Nginx

 

The server block setup:

 

1) Open the configuration file called  

sudo nano /etc/nginx/sites-available/sample.com
 

2) Make sure you have the server_name directive like below 

 
Server 
{
listen 80;
- - - - -
server_name sample.com www.sample.com;
- - - - -}
 

3) During the SSL certification creation, the webserver must listen on port 80.
Before creating an SSL certificate, you need to check for syntax errors. To do so, use the following command, 

 
sudo nginx -t
 

Output 

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
 

Once the syntax is found to be correct, restart Nginx.

 

For restarting Nginx service, type:

sudo service nginx restart
 

Let’s check the status of Nginx service.

sudo service nginx status
 

Output

nginx.service - A high performance web server and a reverse proxy server
   Loaded: loaded (/lib/systemd/system/nginx.service; enabled; vendor preset: enabled)
   Active: active (running) since Wed 2020-06-03 11:00:37 UTC; 3s ago
     Docs: man:nginx(8)
  Process: 3049 ExecStop=/sbin/start-stop-daemon --quiet --stop --retry QUIT/5 --pidfile /run/nginx.pid (code=exited, status=0/SUCCESS)
  Process: 3063 ExecStart=/usr/sbin/nginx -g daemon on; master_process on; (code=exited, status=0/SUCCESS)
  Process: 3052 ExecStartPre=/usr/sbin/nginx -t -q -g daemon on; master_process on; (code=exited, status=0/SUCCESS)
 Main PID: 3065 (nginx)
    Tasks: 2 (limit: 1152)
   CGroup: /system.slice/nginx.service
           ├─3065 nginx: master process /usr/sbin/nginx -g daemon on; master_process on;
           └─3068 nginx: worker process
Jun 03 11:00:37 ubuntu-s-1vcpu-1gb-blr1-01 systemd[1]: Stopped A high performance web server and a reverse proxy server.
Jun 03 11:00:37 ubuntu-s-1vcpu-1gb-blr1-01 systemd[1]: Starting A high performance web server and a reverse proxy server...
Jun 03 11:00:37 ubuntu-s-1vcpu-1gb-blr1-01 systemd[1]: nginx.service: Failed to parse PID from file /run/nginx.pid: Invalid argument
Jun 03 11:00:37 ubuntu-s-1vcpu-1gb-blr1-01 systemd[1]: Started A high performance web server and a reverse proxy server.
 

Step 4: Creation of SSL certificate

To use the Nginx plugin for necessary reconfiguration and reloading, use the below command,

 
sudo certbot --nginx -d sample.com -d www.sample.com
 

Submit your email address and agree to the terms and conditions for the Certbot to verify the authenticity of the domain for which you’ve requested a certificate. 
Output 

sudo certbot --nginx -d sample.com -d www.sample.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): testing@gmail.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: A
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for sample.com
http-01 challenge for www.sample.com
Waiting for verification...
Cleaning up challenges
Deploying Certificate to VirtualHost /etc/nginx/sites-enabled/sample.com
Deploying Certificate to VirtualHost /etc/nginx/sites-enabled/sample.com
Next, you’ll be prompted on how you’d like to configure your HTTPS settings on your Nginx web server.
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Redirecting all traffic on port 80 to ssl in /etc/nginx/sites-enabled/sample.com
Redirecting all traffic on port 80 to ssl in /etc/nginx/sites-enabled/sample.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled https://sample.com and
Want to Acquire Sample.com?
You should test your configuration at: https://www.ssllabs.com/ssltest/analyze.html?d=sample.com https://www.ssllabs.com/ssltest/analyze.html?d=www.sample.com - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Upon successful completion, you will be shown a confirmation message like below. IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/sample.com/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/sample.com/privkey.pem Your cert will expire on 2020-09-01. To obtain a new or tweaked version of this certificate in the future, simply run certbot again with the "certonly" option. To non-interactively renew *all* of your certificates, run "certbot renew" - Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal. - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate Donating to EFF:                    https://eff.org/donate-le
 

Step 5: Installation of SSL certificate in Apache

 

The server block setup:

 

1) Open the configuration file called

 
sudo nano /etc/apache2/sites-available/sample.com
 

2) Make sure you have the server_name directive like the below one,  

 
<VirtualHost *:80>
ServerName sample.com 
ServerAlias  www.sample.com
</VirtualHost>
 

3) During the creation of SSL certificate, ensure that the webserver listens on port 80. 
Before creating SSL certificate, check for any syntax error using the following command, 

 
sudo apache2ctl configtest
 

Output

Syntax OK
 

If the syntax were found to be correct, reload the Apache server to be updated with the new configuration. 

 

For reloading Apache service, type:

sudo systemctl reload apache2
 

Let’s check the status of Apache service.

sudo service apache2 status
 

Output

apache2.service - The Apache HTTP Server
   Loaded: loaded (/lib/systemd/system/apache2.service; enabled; vendor preset: enabled)
  Drop-In: /lib/systemd/system/apache2.service.d
           └─apache2-systemd.conf
   Active: active (running) since Wed 2020-06-03 11:17:55 UTC; 5s ago
  Process: 4628 ExecStop=/usr/sbin/apachectl stop (code=exited, status=0/SUCCESS)
  Process: 4633 ExecStart=/usr/sbin/apachectl start (code=exited, status=0/SUCCESS)
 Main PID: 4649 (apache2)
    Tasks: 55 (limit: 1152)
   CGroup: /system.slice/apache2.service
           ├─4649 /usr/sbin/apache2 -k start
           ├─4652 /usr/sbin/apache2 -k start
           └─4653 /usr/sbin/apache2 -k start
Jun 03 11:17:55 ubuntu-s-1vcpu-1gb-blr1-01 systemd[1]: Stopped The Apache HTTP Server.
Jun 03 11:17:55 ubuntu-s-1vcpu-1gb-blr1-01 systemd[1]: Starting The Apache HTTP Server...
Jun 03 11:17:55 ubuntu-s-1vcpu-1gb-blr1-01 systemd[1]: Started The Apache HTTP Server.
lines 1-18/18 (END)
 

Step 6: Creation of SSL certificate in Apache

For the creation of SSL certificates in Apache, you need to use the Apache plugin for the required reconfiguration and reloading purposes.

 
sudo certbot --apache -d sample.com -d www.sample.com
 

To confirm your domain authenticity for which you’ve been requesting the SSL certificate, you need to submit your mail address to Certbot prompt and agree to its terms and conditions. 

 

Output

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): testing@gmail.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: A
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for sample.com
http-01 challenge for www.sample.com
Waiting for verification...
Cleaning up challenges
Deploying Certificate to VirtualHost /etc/apache2/sites-enabled/sample.com
Deploying Certificate to VirtualHost /etc/apache2/sites-enabled/sample.com
At next, you’ll be prompted on how you’d like to configure your HTTPS settings on your Apache web server. 
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the web server configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Redirecting all traffic on port 80 to ssl in /etc/apache2/sites-enabled/sample.com
Redirecting all traffic on port 80 to ssl in /etc/apache2/sites-enabled/sample.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled https://sample.com and
Want to Acquire Sample.com?
You should test your configuration at: https://www.ssllabs.com/ssltest/analyze.html?d=sample.com https://www.ssllabs.com/ssltest/analyze.html?d=www.sample.com - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Upon successful completion, you will be shown a confirmation message like below. IMPORTANT NOTES:  - Congratulations! Your certificate and chain have been saved at:    /etc/letsencrypt/live/sample.com/fullchain.pem    Your key file has been saved at:    /etc/letsencrypt/live/sample.com/privkey.pem    Your cert will expire on 2020-09-01. To obtain a new or tweaked    version of this certificate in the future, simply run certbot again    with the "certonly" option. To non-interactively renew *all* of    your certificates, run "certbot renew"  - Your account credentials have been saved in your Certbot    configuration directory at /etc/letsencrypt. You should make a    secure backup of this folder now. This configuration directory will    also contain certificates and private keys obtained by Certbot so    making regular backups of this folder is ideal.  - If you like Certbot, please consider supporting our work by:    Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate    Donating to EFF:                    https://eff.org/donate-le
 

Conclusion:

In this article, you have learned the significance of securing your website and also, get to know about Let’s Try, a preferred choice by the majority of customers when it comes to an open-source and free certificate authority. The article touches upon the various stages and steps involved in obtaining the SSL certificates such as Certbot installation, firewall configuration, and SSL certificate creation in both the Apache and Nginx web servers on your Ubuntu 18.04 system.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top