What is an SSL and Why do we need it for our website?

SSL stands for Secure Sockets Layer.

SSL is an encryption technology that secures the communication between a web browser and a web server, by encrypting the data that is being exchanged between a client and a server.

Websites with SSL are accessed via HTTPS protocol and non-SSL websites on HTTP.

Websites with SSL are considered to be secure when it comes to users providing data to a website.

Know about Lets Encrypt

Let's Encrypt is a non-profit Certificate Authority that provides SSL/TLS certificates for free forever.

This is one of the services provided by Internet Security Research Group which provides digital infrastructures to create a secure and privacy-respecting web.

Without any limitations or questions, it provides SSL/TLS certificates to any domain owners.

Once we install the certificates, the website can be accessible over HTTPS.

How to install Lets Encrypt SSL for free forever?

We need to have a registered domain (like example.com) before we proceed with the SSL setup.

Let's look at how we can download and install the certificate on a domain hosted on a VPS machine.

Step 1: Install CertBot and its Apache plugin using the below command from a Linux terminal on a VPS machine

sudo apt install certbot python3-certbot-apache

Step 2: Install SSL from Let's Encrypt using the below command

sudo certbot certonly --apache

The above command will scan all the apache server configurations on the VPS machine to find the domains configured, and ask the user to select a domain on which the SSL needs to be installed.

After successful installation, the SSL certificates will be available at the below location on the VPS machine

/etc/letsencrypt/live/example.com/

Step 3: Modify the domain's apache configuration to redirect HTTP requests to HTTPS as shown below.

  • HTTP requests received on port 80 from the domain example.com are routed to https.example.com
  • HTTP requests received on port 80 from the domain www.example.com are also routed to https.example.com
  • HTTPS requests received on port 443 from the domain example.com are validated against the downloaded SSL certificates and routed to the website's Document Root if valid.
<VirtualHost example.com:80>
    ServerAdmin webmaster@localhost
    ServerName example.com
   # ServerAlias www.example.com
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined
    Redirect permanent / https://example.com/
</VirtualHost>

<VirtualHost www.example.com:80>
    ServerAdmin webmaster@localhost
    ServerName www.example.com
   # ServerAlias example.com
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined
    Redirect permanent / https://example.com/
</VirtualHost>

<VirtualHost example.com:443>
    ServerAdmin webmaster@localhost
    ServerName example.com
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

    SSLEngine on
    SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
    Include /etc/letsencrypt/options-ssl-apache.conf

    DocumentRoot /var/www/html/example.com
</VirtualHost>

Step 4: Now the SSL is successfully configured and from hereon all the below happen

  • All the HTTP requests on the domain will be redirected to HTTPS
  • All the HTTPS requests are validated against the SSL certificates and then routed to the website's document root to serve the request.

SSL Certificates Renewal

In Step 1, we have installed CertBot and its apache plugin, which will take care of renewing the certificates when they are expired.

So, we don't need to worry about the renewal process.

Things to Remember

We need to point a domain to VPS SSH IP to make sure the requests on the domain are routed to the VPS machine where we deployed our website.

We need to modify A/AAAA records IP addresses to VPS SSH IP on the domain's DNS configuration, which may take a maximum of 24 hours to propagate the DNS changes over the web.

DNS Propagation can be checked on the below website.

Only after successful DNS propagation, we can try to run the command to install SSL certificates, which will fail otherwise.

Overall

We now know how easy it is to get a free lifetime SSL for a website hosted on a VPS machine.