Contents
Introduction
As you may have noticed, new versions of most popular browsers notify you whenever you try to access an insecure web page. For instance, Google Chrome from the release 68 onwards marks all HTTP sites as not secure. To force the use of encrypted connections and to avoid receiving these warnings when accessing your domestic web page you should configure your web server to use certificates.
One possibility is to create and sign these certificates yourself. This will allow you to encrypt all the traffic. However, it will not avoid some of the security warnings received in your browser. A second alternative is to use a certificate provided by a certificate authority. In this tutorial I will show you how to use certbot to automatically fetch and deploy certificates for your web server.
HTTP and HTTPS
HTTPS (HTTP Secure) is an adaptation of the Hypertext Transfer Protocol (HTTP) for secure communications over a computer network. With HTTPS the communication protocol is encrypted by Transport Layer Security (TLS) or Secure Sockets Layer (SSL). That means that all communications between your browser and the website is encrypted. Both the TLS and SSL protocols use what is known as an asymmetric Public Key Infrastructure (PKI) system. It works in a similar way to the explained in the SSH Key based authentication post.
The private key will remain securely on the web server, while the public key will be distributed to anybody to be able to decrypt the information encrypted with the private key.
The way it operates is very simple. When somebody request an HTTPS connection to your webpage, your server initially sends its SSL certificate to the browser. This certificate contains the public key needed to begin the secure session. Based on this initial exchange, the browser and your website then initiate the SSL/TLS handshake. When this operation succeeds, each part dispose of shared secrets to establish a uniquely secure connection. The information exchanged will no longer be sent as plain text. This way it will be unintelligible if intercepted by a third party.
Installing Certbot
Certbot is an easy-to-use automatic client developed in Python. It fetches and deploys SSL/TLS certificates in webservers using ACME protocol. It was developed by the Electronic Frontier Foundation (EFF) as a client for Let’s Encrypt, a free and open Certificate Authority. The software is already included in Stretch repository, so its installation is really easy. However, if you are using a previous version of Raspbian (why don’t you update following this instructions?), you will have to add the backports repository.
Backports are packages taken from the next Debian release (called “testing”). They are adjusted and recompiled for use on a Debian stable version. To add them to your sources.list file just include the following lines:
|
1 2 3 4 |
sudo vi /etc/apt/sources.list ... deb http://ftp.debian.org/debian jessie-backports main ... |
Once done, update the package list by running:
|
1 |
apt-get update |
If you are installing certbot for apache from Stretch just type:
|
1 |
sudo apt-get install python-certbot-apache |
If you use an older Raspbian version you should use the -t option to search for an specific distribution:
|
1 |
sudo apt-get -t jessie-backports install python-certbot-apache |
Note that this instructions just apply if your web server is apache. If you use another software, just search in the documentation the equivalent command
Configuring Certbot
The configuration of certbot is really easy. To start the step-by-step setup just run:
|
1 |
certbot --apache |
This utility will get a certificate for you. It will make Certbot edit your apache configuration automatically to serve it. To do so, it will first evaluate your current installation to find out which domains should be covered with the certificate. During the installation you will be asked to confirm the domains covered. You will need also to type your email and answer some other setup questions. I would suggest you to allow certbot to force the redirection of HTTP traffic to HTTPS, leaving no unencrypted traffic in your web server. Once the installation is finished, you will be able to find the generated certificates and configuration files under this path /etc/letsencrypt/.
You can test the status of your SSL certificate by accessing the following web page:
|
1 |
https://www.ssllabs.com/ssltest/analyze.html?d=YOUR_DOMAIN.COM&latest |
Due to new requirements with Forward Secrecy you will probably obtain a security Grade B. For a domestic web server. It should be more than enough.
If you’re feeling more conservative and would like to make the changes to your Apache configuration by hand, you can use the certonly subcommand.
|
1 |
sudo certbot --apache certonly |
To learn more about how to use Certbot read its documentation in this link.
Renewing the Certificate
Certbot packages come with a cron job that will renew the installed certificates automatically before they expire. Since Let’s Encrypt certificates last for 90 days, it’s highly advisable to take advantage of this feature.
You can see the cron job created by running:
|
1 2 3 |
sudo crontab -l 7 6 * * * /usr/bin/certbot renew --quiet --agree-tos && /bin/systemctl reload apache2 |
As you can see, certbot will try to renew the certificates and reload apache configuration every day at 6:07. In case there is no certificate due for renewal or revoked, and no change has been performed in apache configuration, this task will not do nothing. Otherwise, the script will generate a new certificate and force apache to use it. Certbot recommends to run this job a minimum of once a day. The reason is just to give your site more chances of staying online in case Let’s Encrypt initiates a general revocation for some reason.
Before the cron job is launched, you should test the automatic renewal of your certificates by running this command:
|
1 |
sudo certbot renew --dry-run |
This script will only simulate the renewal of existing certificates. It will not save them, but it can help you to find possible issues with your configuration. Before doing this test, you should configure your router to forward port 443 to your Raspberry as exposed here. Your iptables configuration should also allow the use of this port as explained in this post.
Redirecting HTTP to HTTPS using mod_rewrite
Although an SSL certificate is installed on the server, your website will not use it by default. The visitors will need to add the https to the URL every time to be securely connected. The best way to achieve maximum security is to enable an automatic redirect from HTTP to HTTPS. During certbot installation you should have been asked to activate this feature. In case you didn’t select this option, those are the steps to configure the redirection.
Ensure that the rewrite and ssl modules are activated by doing:
|
1 2 |
sudo a2enmod rewrite sudo a2enmod ssl |
Now you just need to edit your configuration file where the virtual hosts are specified. Then add these lines to redirect http to https. In a standard Raspbian apache installation, those will be located in this path /etc/apache2/sites-enabled/000-default.conf
|
1 2 3 4 5 |
vi /etc/apache2/sites-enabled/000-default.conf RewriteEngine on RewriteCond %{SERVER_NAME} =[your server name] RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent] |
Once done, restart apache and test the results in your browser. It doesn’t matter which page you try to access with http, you should always be redirected to the https option.
1 thought on “Configuring SSL Certificates with Certbot”