Let’s Encrypt – Is Certbot Good for HTTPS Certificates?

Apache2certificateshttpsletsencryptssl

I am setting up a cloud server using Ubuntu 20.04 Server.

I will never have many visitors, just my students doing homework.

I want to enable https:// access.

I found this page.

Is certbot a good way to go??

I have never done this before.

Best Answer

Good is subjective? Does it mean easy? Quick? Free? I think Let's Encrypt is good, but that is just my opinion.

Before I properly answer the question, I need to clarify something. Let's Encrypt is a free trusted certificate authority that issues SSL certificates. Certbot is the tool that Let's Encrypt recommends to actually get, and automatically set up, the certificates.

Let's Encrypt does have some issues, but for a small site ran by an Apache server, for a few people, it should be fine. If you are curious, take a look at this Security SE question that explains potential issues with Let's Encrypt.

To enable https://, you need to get a certificate trusted by your client's computers*.

There are plenty of guides out there, but I suggest the official one, as it is pretty good. I'm assuming you have SSH (or shell) access to your Apache server, and that it is publically accessible. Head over to the Cerbot website. Fill out what your server is running on. For this answer, I selected Apache and Ubuntu 20.04 based on your question, but you should select whatever is correct for you.

This is a shortened version of the directions from the Certbot guide for Apache on Ubuntu 20.04.

Make sure Snap is installed. If you have Ubuntu 20.04 (or most supported versions of Ubuntu) it is. If not, check out these directions from the Snapcraft website.
Run this to install the snap core and update if needed sudo snap install core && sudo snap refresh core
Install Certbot sudo snap install --classic certbot
Make sure it can be run by linking it to the /usr/bin folder sudo ln -s /snap/bin/certbot /usr/bin/certbot

If you want it to auto-install the certificate, run sudo certbot --apache. If you prefer to make the changes to the config file yourself, run sudo certbot certonly --apache. The Let's Encrypt certificates expire after 90 days. So, it can automatically renew them for you. Run sudo certbot renew --dry-run to test auto-renewal. If it works fine (without errors) then auto-renewal is good to go.

Reboot the server, and then your website should work with https.

*Technically, you could make your own, but it would display in their browsers that it isn't trusted, so you really shouldn't.

Related Solutions

Command-Line – How to Install Certificates for Command Line

TL;DR

For everything to work and not only your browser, you need to add that CA certificate to the system's trusted CA repository.

In ubuntu:

Go to /usr/local/share/ca-certificates/
Create a new folder, i.e. "sudo mkdir school"
Copy the .crt file into the school folder
Make sure the permissions are OK (755 for the folder, 644 for the file)
Run "sudo update-ca-certificates"

Why

Let me explain what is going on also, so the other posters see why they don't need any certificate to use Github over HTTPS.

What is going on there is that your school is intercepting all the SSL communications, probably in order to monitor them.

To do that, what they do is in essence a "man in the middle" attack, and because of that, your browser complains rightfully that he is not being able to verify github's certificate. Your school proxy is taking out github's cert and instead providing its own cert.

When your browser tries to verify the school's provided cert against the CA that signed github's cert, it rightfully fails.

So, for the SSL connection to work in the school, you need to consciously accept that "MITM" attack. And you do that by adding the school's CA certificate as a trusted one.

When you trust that school CA, your verification of the fake github cert will work, since the fake github cert will be verified by the school CA.

Be aware that SSL connection is not safe anymore since your school administrator will be able to intercept all your encrypted connections.

Apache2 SSL VirtualHost HTTPS – Enable HTTPS in Apache2 with Vhosts

I "fixed" the configuration by myself, with a bit of luck.

The issue seems to have been caused by the default configuration Ubuntu is shipping with Apache v2.x.

After enabling the needed modules with something like

sudo a2enmod ssl
sudo a2enmod headers
sudo a2enmod socache_shmcb

I also enabled the "default SSL site" with

sudo a2ensite default-ssl

Then added my own stuff in the /etc/apache2/sites-enabled directory.

I added something like:

01-mysite.conf
02-other.conf
03-thistoo.conf

After running certbot --apache the directory content became:

01-mysite-le-ssl.conf
01-mysite.conf
02-other-le-ssl.conf
02-other.conf
03-thistoo-le-ssl.conf
03-thistoo.conf

The problem came from the fact that the "default SSL site" configuration file is called default-ssl.conf while the "default plaintext site" configuration is called 000-default.conf .

In my specific case, then, default-ssl.conf was the last one to be read by Apache v2.x from the sites-enabled directory:

000-default.conf
01-mysite-le-ssl.conf
01-mysite.conf
02-other-le-ssl.conf
02-other.conf
03-thistoo-le-ssl.conf
03-thistoo.conf
default-ssl.conf

By "simply" renaming default-ssl.conf to 000-default-ssl.conf I started having things working, after a mandatory reload: systemctl apache2 reload; systemct apache2 status!

The very same nmap command seen in the question now returns the expected results:

$ nmap -A -Pn -p 443 mysite.com.
Nmap scan report for mysite.com. (1.2.3.4)
Host is up (0.044s latency).
Other addresses for mysite.com. (not scanned): 1234:1234:123:1234::
rDNS record for 1.2.3.4: host1.hosting.net

PORT    STATE SERVICE  VERSION
443/tcp open  ssl/http Apache httpd 2.4.41
| tls-alpn: 
|_  http/1.1
|_http-title: 421 Misdirected Request
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=host1
| Subject Alternative Name: DNS:host1
| Not valid before: 2022-11-06T10:22:12
|_Not valid after:  2032-11-03T10:22:12
Service Info: Host: 127.0.0.1

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.74 seconds

It seems nmap doesn't know how to place a well-formed HTTPS SNI request.

But now we have: 443/tcp open ssl/http Apache httpd 2.4.41 : now it's ssl/http, not just http!

Lesson learned: with SSL/TLS and SNI, order matters. And a lot too!

As a very minor side note, I cleaned up the non-SSL (aka "HTTP") configuration file like this:

<VirtualHost _default_:80>
  ServerName  mysite.com # <-----------------.
  RewriteEngine on #                         | THE SAME
  RewriteCond %{SERVER_NAME} =mysite.com # <-'
  RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

All other configuration stuff has been moved into the SSL-enabled configuration. Simple and effective!

I really hope this will help others.

Best Answer

Related Solutions

Command-Line – How to Install Certificates for Command Line

Apache2 SSL VirtualHost HTTPS – Enable HTTPS in Apache2 with Vhosts

Related Question