• Get application security done the right way! Detect, Protect, Monitor, Accelerate, and more…
  • Let’s look into getting a FREE SSL/TLS certificate from ZeroSSL and implement it in Apache and Nginx web servers.

    Introduction

    You might have heard a lot about the term like HTTP and HTTPS. In the early days, a protocol was defined, which was named as HyperText Transfer Protocol(HTTP). It is a way to communicate from browser to web server. When this communication happens, the data traveling on an HTTP protocol, just travel in the clear text formats. Due to this, it has been realized that the HTTP communication is not secure, and hackers were able to attack and intercept the important and sensitive messages.

    To solve this issue, the HTTPS protocol came into the picture. It is a secure protocol, and acronym stands for HyperText Transfer Protocol Secure. It simply makes encryption to the data when the communication happens, and data travels from the web browser to the webserver. So that if any hacker picks up that information, it’s all encrypted.

    How do HTTPS works?

    The HTTPS protocol works on either of the two things, that is SSL(Secure Socket Layer) or TLS(Transport Layer Security). Both tools use PKI(Public Key Infrastructure). PKI, in turns, uses two key, ie. public and private keys. Anything which is encrypted using the public key can be decrypted using the private key and vice versa.

    When we install an SSL/TLS certificate on our website, the ‘data encryption’ feature gets enabled. SSL is used as a checkpoint to guarantee the security of the data that is being exchanged over the Internet between the user’s browser and the website server.

    Getting ZeroSSL certificate

    ZeroSSL is a certificate authority (CA) that makes the thing very easy for everyone to install a certificate to make the website secure. You can get up to 3 certificates with 90 days validity in free.

    Zero SSL

    • Sign up with ZeroSSL
    • After logging in, the below page will appear. Click on ‘New Certificate.’

    • Enter the URL you want to secure and click on the ‘Next Step.

    • Select 90-day certificate and Next

    • Let’s proceed with the auto-generate CSR option

    • Proceed with the “Free” plan

    Next, you’ll need to verify the domain ownership. There are a few options.

    • DNS – if you can add a DNS record entry
    • Email – if you can receive the email to [email protected]
    • File Upload – if you can upload a file on the root of the domain

    Choose what works for you. I’ll proceed with DNS entry.

    • I’ve added the CNAME and ready to verify domain.

    • Finally, once verified, the SSL certificate is ready to download.

    Here is my downloaded certificates.

    Its time to implement it.

    Implementing on Apache

    The following, I will install Apache on Ubuntu.

    Login to server and install using apt-get command.

    sudo apt-get install apache2

    Let’s find out if Apache is running using systemctl command.

    [email protected]:~# systemctl status apache2
    ● apache2.service - The Apache HTTP Server
       Loaded: loaded (/lib/systemd/system/apache2.service; enabled; vendor preset: enabled)
      Drop-In: /lib/systemd/system/apache2.service.d
               └─apache2-systemd.conf
       Active: active (running) since Sat 2020-05-23 16:15:56 UTC; 3s ago
      Process: 7852 ExecStop=/usr/sbin/apachectl stop (code=exited, status=0/SUCCESS)
      Process: 14179 ExecStart=/usr/sbin/apachectl start (code=exited, status=0/SUCCESS)
     Main PID: 14196 (apache2)
        Tasks: 55 (limit: 2362)
       CGroup: /system.slice/apache2.service
               ├─14196 /usr/sbin/apache2 -k start
               ├─14199 /usr/sbin/apache2 -k start
               └─14200 /usr/sbin/apache2 -k start
    
    May 23 16:15:56 geekflare-lab systemd[1]: Starting The Apache HTTP Server...
    May 23 16:15:56 geekflare-lab apachectl[14179]: AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1. Set the 'Serve
    May 23 16:15:56 geekflare-lab systemd[1]: Started The Apache HTTP Server.

    Great, it is running.

    My domain (lab.geekflare.com) is already pointing to this Apache server.

    But as you can see, it is not secured, and therefore, we will be configuring the certificate which we got from ZeroSSL.

    • Let’s create a directory called sslCA under /etc to store the certificate files.
    cd /etc
    mkdir sslCA
    • Transfer the files to the newly created folder on the server
    [email protected]:/etc/sslCA# ll
    total 20
    drwxr-xr-x  2 root root 4096 May 18 12:13 ./
    drwxr-xr-x 92 root root 4096 May 22 06:07 ../
    -rw-r--r--  1 root root 2430 May 18 05:37 ca_bundle.crt
    -rw-r--r--  1 root root 2292 May 18 05:37 certificate.crt
    -rw-r--r--  1 root root 1702 May 18 05:37 private.key
    • Enable SSL module
    sudo a2enmod SSL
    • We will have to restart the webserver so that the changes can be recognized.
    sudo service apache2 restart
    • The next step is to configure the certificate files on the Apache SSL config file.
    cd /etc/apache2/mods-available
    • The name of the file is ssl.conf. We need to add the following in <VirtualHost directive.
    <VirtualHost _default_:443>         
    SSLEngine on                 
    SSLCertificateFile /etc/SSLCA/certificate.crt                 
    SSLCertificateKeyFile /etc/SSLCA/private.key                 
    SSLCertificateChainFile /etc/SSLCA/ca_bundle.crt
    </VirtualHost>
    • Save the file and exit :wq!

    After performing the restart, the SSL will get enable on the site. Let’s access the site using https://

    And, as you can see, “Connection is Sure”. It means that our SSL certificate has been successfully applied to our webserver.

    Implementing on Nginx

    Nginx is located in Ubuntu’s default repositories, so it’s possible to install it from here using the appropriate packaging system.

    • The below command is used for installing the “Nginx”.
    sudo apt install nginx
    • After installation gets success, we can start the Nginx using the below command.
    systemctl start nginx
    • Check the status of Nginx.
    [email protected]:~# systemctl status nginx
    ● nginx.service - A high performance web server and a reverse proxy server
       Loaded: loaded (/lib/systemd/system/nginx.service; enabled; vendor preset: enabled)
       Active: active (running) since Tue 2020-05-19 06:54:00 UTC; 4 days ago
         Docs: man:nginx(8)
      Process: 8634 ExecStop=/sbin/start-stop-daemon --quiet --stop --retry QUIT/5 --pidfile /run/nginx.pid (code=exited, status=0/SUCCESS)
      Process: 8661 ExecStart=/usr/sbin/nginx -g daemon on; master_process on; (code=exited, status=0/SUCCESS)
      Process: 8653 ExecStartPre=/usr/sbin/nginx -t -q -g daemon on; master_process on; (code=exited, status=0/SUCCESS)
     Main PID: 8664 (nginx)
        Tasks: 2 (limit: 2362)
       CGroup: /system.slice/nginx.service
               ├─8664 nginx: master process /usr/sbin/nginx -g daemon on; master_process on;
               └─8707 nginx: worker process
    
    May 19 06:54:00 geekflare-lab systemd[1]: Starting A high performance web server and a reverse proxy server...
    May 19 06:54:00 geekflare-lab systemd[1]: nginx.service: Failed to parse PID from file /run/nginx.pid: Invalid argument
    May 19 06:54:00 geekflare-lab systemd[1]: Started A high performance web server and a reverse proxy server.
    • As expected, the browser will show the warning as a connection to this site is not secure.

    Let’s quickly implement the cert to make the site secure using HTTPS.

    • Let’s create example.com.conf file at /etc/nginx/conf.d location. The file content will look like the below.
    server {     
    listen              443 SSL default_server;     
    listen              [::]:443 SSL default_server ;     
    server_name         lab.geekflare.com lab.geekflare.com;     
    root                /var/www/html;     
    }
    • Now it’s required to add a certificate filename in nginx.conf file which is located in “/etc/nginx” directory.
    • Add the following in http directive
    ssl_certificate /etc/sslCA/certificate.crt; 
    ssl_certificate_key /etc/sslCA/private.key;

    • Restart Nginx to verify the changes
    systemctl restart nginx

    And here we go.

    Interested in learning Nginx? Check out this fundamentals course.

    Testing SSL/TLS Configuration

    The default configuration may be vulnerable, and I strongly suggest testing your site after implementing the certificate. There are a number of online tools you can check out here.

    Conclusion

    I hope this gives you an idea of getting a certificate from ZeroSSL and implementing it in two most popular web servers.