If you have been following our series on setting up an online business then this is an article you don’t want to miss. We are going to discuss the importance of SSL certificates with particular mention of the Let’s Encrypt free SSL certificate. These certificates can be applied on virtual hosts and Contabo VPS Linux servers which are topics that were fully covered in previous articles.
In the next sections, we are going to look at what is an SSL certificate, and why your website should have one. Among other general ideas on this subject, we are going to discuss alternatives to certbot apache or free SSL project, wildcard SSL certificates, and free SSL certificate generation. Furthermore, as a continuation of previous articles, we are going to show you step by step to easily get your certificates for any domain from a certificate authority.
What is an SSL Certificate?
In simple terms, it is an electronic document that proves the validity or identity of a particular website. SSL stands for Secure Sockets Layer. It encrypts all communications on a website protecting customers and visitors from having their information transmitted as plain text. This ensures that customer information is not susceptible to hackers. Websites that have their SSL certificates enabled can be seen with HTTPS instead of the HTTP preceding the URL. Another distinct and noticeable difference is the padlock that will be before the URL in the address bar. Other types of SSL certificates will turn the address bar green, you will learn what it means in the following sections.
What is Let’s Encrypt free SSL Certificate?
Let’s Encrypt is a non-profit Certificate Authority, that offers free and, automated digital certificates. Let’s encrypt powers over 260million websites across the globe to create a safer and inclusive internet for everyone. For small and upcoming businesses this is crucial. This is because it gives the opportunity to be able to build an online business without having to pay for SSL certificates. Of course, they are drawbacks associated with using free SSL certificates much like everything. But before we get into the drawbacks let us first take a look at how to configure or set up the certificates.
How to install Let’s Encrypt SSL Certificates
The previous sections have been an introduction to what is SSL certificates, and have highlighted the significant importance of these certificates. To set up and install an SSL certificate we are going to look at two methods. One uses the snapd and the other apt repository.
Method 1: Using APT To install Let’s Encrypt Free SSL
Step 1: Install Certbot
sudo apt install certbot python3-certbot-apache
The above command will install certbot on apache from the Advanced Packaging Tool which is used in ubuntu to install applications, or software and to update existing programs.
Step 2: Get the SSL certificate
sudo certbot --apache
After you enter that script a series of prompts will start displaying on your screen. In order to successfully obtain the certificates you must answer the questions by making a selection as shown in the output below:
Prompt 1: Let’s Encrypt Free SSL certificate
Output: Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator apache, Installer apache Enter email address (used for urgent renewal and security notices) (Enter 'c' to cancel): firstname.lastname@example.org
Take note the above output email@example.com is just a placeholder. Replace the firstname.lastname@example.org with the email address that you are going to use for the administration of your certificates. After you enter the email address press Enter. After you press Enter Respond to the prompt below with an A to show that you agreed to the term and policies.
Prompt 2: Let’s Encrypt Free SSL certificate
Output Please read the Terms of Service at https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must agree in order to register with the ACME server at https://acme-v02.api.letsencrypt.org/directory - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (A)gree/(C)ancel: A
After this, you will be prompted if you want to share your email to receive news and other updates. If you are interested in receiving these you can press Y, otherwise, you should just press N.
Prompt 3: Let’s Encrypt Free SSL certificate
Output - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Would you be willing to share your email address with the Electronic Frontier Foundation, a founding partner of the Let's Encrypt project and the non-profit organization that develops Certbot? We'd like to send you email about our work encrypting the web, EFF news, campaigns, and ways to support digital freedom. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: N
The next step will prompt you to choose the domain that you want Certbot to activate HTTPS for. The listed domain names are automatically obtained from your Apache virtual host configuration. If you’d like to enable HTTPS for all listed domain names (recommended), you can leave the prompt blank and hit
ENTER to proceed. Otherwise, you must select the domains you want to enable HTTPS for by entering a number that corresponds to each domain, separated by commas and/ or spaces, then hit
Output: Which names would you like to activate HTTPS for? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1: your_domain 2: www.your_domain - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Select the appropriate numbers separated by commas and/or spaces, or leave input blank to select all options shown (Enter 'c' to cancel):
Once you pick a Domain from the list you will get output that look like something as follows:
Obtaining a new certificate Performing the following challenges: http-01 challenge for demosite.com http-01 challenge for www.demosite.com Enabled Apache rewrite module Waiting for verification... Cleaning up challenges Created an SSL vhost at /etc/apache2/sites-available/demosite.com-le-ssl.conf Enabled Apache socache_shmcb module Enabled Apache ssl module Deploying Certificate to VirtualHost /etc/apache2/sites-available/demosite.com-le-ssl.conf Enabling available site: /etc/apache2/sites-available/demosite.com-le-ssl.conf Deploying Certificate to VirtualHost /etc/apache2/sites-available/demosite.com-le-ssl.conf
PLEASE TAKE NOTE: Every section with the text “demosite.com” replace with your own domain. In the output shown it will be replaced by the domains that are in your apache configuration. The next prompt will be for you to choose if you want your visitors to be redirected to HTTPS. if you select the redirect option what it means is that when your visitors or users connect with your website using HTTP they will be automatically be redirected to your website with HTTPS. As explained earlier HTTPS is more secure and it encrypts all communications by using the Transport Layer Security popularly called TLS.
Output: Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1: No redirect - Make no further changes to the webserver configuration. 2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for new sites, or if you're confident your site works on HTTPS. You can undo this change by editing your web server's configuration. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
After this option, you are basically done and you will be presented with information similar to the one below, with your domain name included:
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Congratulations! You have successfully enabled https://your_domain and https://www.your_domain You should test your configuration at: https://www.ssllabs.com/ssltest/analyze.html?d=demosite.com https://www.ssllabs.com/ssltest/analyze.html?d=www.demosite.com - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/demosite.com/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/demosite.com/privkey.pem Your cert will expire on 2020-07-27. To obtain a new or tweaked version of this certificate in the future, simply run certbot again with the "certonly" option. To non-interactively renew *all* of your certificates, run "certbot renew" - Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal. - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
This means your certificate is now loaded onto your server and if you reload your website it should now show a padlock sign before the URL. To test the automatic renewal function use the following command:
step 3: Test auto-renew
sudo certbot renew --dry-run
If you don’t see any errors in your output then it means everything is ready and, you are all set. Now let us look at a different method of installing or configuring SSL certificates. We are still going to use Let’s Encrypt and certbot on apache in ubuntu 20.04.
Method 2: snapd To Install Let’s Encrypt Free SSL
This method is similar to the one before. The difference here is the source of certbot which will use to generate the certificate from. We are still going to be using the Let’s Encrypt free SSL certificate generator. For this method to work we are going to install snapd first. If you using this step I’m assuming you did not use the first step or you encountered some error. Nonetheless, if you did succeed and just want to practice there is no harm in using this method as well. We are not going to look at the output in this section because we have covered it in the previous method.
Step 1: Install snapd
In order to accomplish this, you need root access to the server. Once you have access you can use the following script to install the latest version.
sudo apt install snapd
Step 2: Ensure the version is up to date
sudo snap install core; sudo snap refresh core
Step 3: Remove Certbot and any preinstalled OS packages
sudo apt-get remove certbot
If you used apt package manager the script will work for you. Otherwise, if you used yum or dnf you must replace apt-get with those packages to successfully remove previous versions and installations.
Step 4: Install Certbot
To accomplish this we are not using apt(Application Package Tool). The word snap will now be used in the script as below:
sudo snap install --classic certbot
Step 5: Prepare Certbot to be run
sudo ln -s /snap/bin/certbot /usr/bin/certbot
Step 6: Generate SSL Certificate
sudo certbot --apache
The use of this command will make changes to your apache configuration by making a virtual host config file that matches your domain and has SSL appended to its conf file. If you would prefer to only get the certificate you can use the following script:
sudo certbot certonly --apache
Step 7: Test auto-renewal
For this method, you need to use the script below. If you don’t get any errors then it means that everything is working as it should.
sudo certbot renew --dry-run
After all this, you can reload your website. It must now load with HTTPS:// instead of HTTP://. Also, you must now be able to see the padlock in the URL. in the following section, we are going to look at other alternatives. There are those who would prefer to use something different other than the Let’s Encrypt free SSL certificate generator.
Let’s Encrypt Alternatives
If you want to run an e-commerce website then you need a different CA than Let’s Encrypt. You might want to use a different SSL certificate authority than Let’s Encrypt which offers the same certificate as them due to some technical errors.. The good news is tey are many alternatives out there but unfortunately they do not offer a free solution.
Zero SSL is one of the closest alternatives to Let’s Encrypt free SSL certificate authority. The certificate authority offers 3 free 90 day certificates which you can use to get started with your online business and once the certificate expires you can upgrade to one of their paid plans. Zero SSL uses the same Acme protocol as the Let’s Encrypt free SSL certificate. As of this writing, the pricing starts at $10/mo and $8 if billed yearly.
Another alternative is Namecheap although it does not offer any free SSL certificate like Zero SSL and an infinitely free package like the Let’s Encrypt Free SSL certificate project. So why would someone consider buying an SSL certificate if they can get it for free? Let’s discuss this in the next section.
Paid vs Free SSL Certificates
before we are able to delve into the key differences we must understand that they are different levels of validation for the SSL certificates before they can be issued by a Certificate Authority. They are 3 common types, the encryption for all of them is the same but what differs is the vetting or verification of these certificates. They are also two types of Certificates name Single Domain and Wildcard Domain SSL Certificates.
Single Domain SSL Certificates
This type of SSL Certificate can only be used to authenticate and encrypt one domain only. What this means it you cannot even use it to provide encryption to subdomains of that particular domain. For instance, once you apply the single-domain SSL certificate to demosite.com. You will not be able to use the same certificate for subdomains, such as newsletter.demosite.com. However, the certificate will be applied to subfolders under this domain such as demosite.com/contact-page.
Let’s Encrypt Free Wildcard SSL Certificates
In the case of Single wildcard Domain certificates. These can be applied to both the parent and the subdomains. This certificate will provide security for demosite.com and the newsletter.demosite.com or, support.demosite.com. However, since it is still a single-domain SSL certificate. It cannot be used for a completely different domain to demosite.com such as digitalfreshman.com. If you want secure multiple domains then you need a multi-domain SSL certificate. Let’s encrypt also offers wildcard certificates that can be applied to an entire subdomain.
Multi-Domain SSL Certificates(MDC)
MDC allows you to list multiple domains on one SSL certificate. Unlike wild card certificates domains that are not related can use the same certificate which can help if you have multiple domains that you are managing.
The 3 most common types of SSL Certificates
- Extended Validation(EV SSL) Certificates
- Organizational Validation (OV SSL) Certificates
- Domain Validated (DV SSL) Certificates
We will start by explaining what most free Certificate Authorities offer. After that will move on to paid versions for better understanding.
Domain Validated (DV SSL) Certificates
This is the easiest and quickest way to provide standard encryption. It requires little to no verification. DV SSL certificates are mainly issued to individuals and, they are typically issued within minutes. Once activated they show a padlock sign in the browser and, the URL is preceded by HTTPS://. The major advantage is that it can be issued within minutes. So this is the type of SSL certificate we get from Let’s Encrypt.
Organizational Validated (OV SSL) Certificates
These certificates are obtained from DV and the encryption here is basically the same. However to get an OV SSL an organization must present the domain it wishes to secure and also prove that it is legally registered. This is done to validate the control of a domain, which adds a layer of trust. OV Certitifcates are issued between 1-3 days but not faster than DV. The certificate information will also show the company’s details. These OV certificates are suitable for business unlike DV and they are not free.
Extended Validated (EV SSL) Certificates
To get an EV certificate organizations must go through a stricter vetting process. A stricter process also means that they take more time than the previous two to get issued. Once activated they activate a green bar in the web browser. EV certificates are an indication that the applicant or organization is highly trusted and has successfully met all the verification requirements. Consumers have more trust in websites with an EV certificate than the OV and DV. Just like OV, EV certificates are also not free and tend to be more expensive than the former.
|ATTRIBUTES||FREE SSL CERTIFICATE||PAID SSL CERTIFICATE|
This article covered Let’s Encrypt’s free SSL certificates. It looked at the two methods to install the certificates, the apt and snapd. Key concepts such as basic definitions of what is an SSL certificate, the types of SSL certificates, and the difference between paid and free certificates were also addressed. For e-commerce websites, you must use EV certificates. A business website must use OV certificates. If you starting a blog or other internal-facing website then DV certificates are more cost-effective for that use case.