How to secure your site/app with a free SSL certificate

How to secure your site/app with a free SSL certificate

If you want to enable secure connections to either a web site or app that you're running on your own private server, you can obtain a free SSL certificate from Let's Encrypt.

In this tutorial, we'll walk through the steps of securing a simple website with Let's Encrypt on a Digital Ocean Droplet that is running Nginx.

Pre-requisites

To follow this tutorial through fully you'll need:

  • A Digital Ocean Droplet running Ubuntu with Nginx (any other private server provider will also be fine)
  • An existing website or app that is configured and running through Nginx that has not already been secured (see this post for a walkthrough of setting up a site).
  • A bit of knowledge around the using the terminal/command line

Installing Let's Encrypt

Let's Encrypt are a not for profit organisation who provide free SSL certificates for the purposes of securing website and webapps.

You can, of course, go and purchase your own SSL certificate from another provider but there's really no need to for the majority of small and hobby projects.

In order to make use of Let's Encrypt's service, we'll be installing their software on to our Droplet.

To do this, SSH on to your Droplet and install the certbot package from Let's Encrypt.

ssh user@<domain or Droplet IP>

sudo add-apt-repository ppa:certbot/certbot
sudo apt install python-certbot-nginx

We're now ready to use the certbot package to install a certificate for our domain.

Obtaining an SSL certificate

To obtain a certificate from Let's Encrypt, simply run the following, substituting mysite.com for your website's domain:

sudo certbot --nginx -d mysite.com -d www.mysite.com

Note: We're telling certbot to use the nginx plugin here which will automatically update our Nginx config files for this site. It's a good idea to run sudo nginx -t to check the config has been updated OK. Other plugins for certbot are also available if you're using a different web server. See certbot.eff.org/docs/using.html#getting-cer.. for more details.

Here, we are actually requesting two certificates, one for the 'non-www' version of the site (i.e. mysite.com) and another for the 'www' subdomain.

When you run the above command, the certbot will ask you for some preferences on how you would like to handle redirects for when a user requests the 'non-www' version of your site.

For example, you can keep the user on the same domain or force them to redirect to the 'www' version.

If you now visit your site/webapp with a corresponding https:// prefix you should see that the site is now secured!

Clicking the padlock when viewing in Chrome (or the equivalent in other browsers), you should see the certificate registered:

Screenshot 2021-01-18 at 08.56.45.png

Checking the firewall configuration

Depending on how you have it configured, you might need to check the firewall setup for your Droplet to ensure port 443 (for HTTPS connections) is open.

Check your firewall status with:

sudo ufw status

If you don't see Nginx Full or Nginx HTTPS in the output from the above command then you will need to enable this in the firewall. For example:

sudo ufw allow 'Nginx Full'

Next steps

One drawback with Let's Encrypt certificates is that they need to be renewed every 90 days so you'll need to ensure you logon to your Droplet and renew the certificates regularly.

Other than that, you're ready to start using your website/app in a secure manner!

Thanks for reading, if you have any questions, drop me a comment below or Tweet me @codebubb.