How to Implement ZeroSSL Certificate in Apache and Nginx?
By
Asad Ali
Let’s look into getting a FREE SSL/TLS certificate from ZeroSSL and implement it in Apache and Nginx web servers.
Introduction
You might have heard a lot about the term like HTTP and HTTPS. In the early days, a protocol was defined, which was named as HyperText Transfer Protocol(HTTP). It is a way to communicate from browser to web server. When this communication happens, the data traveling on an HTTP protocol, just travel in the clear text formats. Due to this, it has been realized that the HTTP communication is not secure, and hackers were able to attack and intercept the important and sensitive messages.
To solve this issue, the HTTPS protocol came into the picture. It is a secure protocol, and acronym stands for HyperText Transfer Protocol Secure. It simply makes encryption to the data when the communication happens, and data travels from the web browser to the webserver. So that if any hacker picks up that information, it’s all encrypted.
How do HTTPS works?
The HTTPS protocol works on either of the two things, that is SSL(Secure Socket Layer) or TLS(Transport Layer Security). Both tools use PKI(Public Key Infrastructure). PKI, in turns, uses two key, ie. public and private keys. Anything which is encrypted using the public key can be decrypted using the private key and vice versa.
When we install an SSL/TLS certificate on our website, the ‘data encryption’ feature gets enabled. SSL is used as a checkpoint to guarantee the security of the data that is being exchanged over the Internet between the user’s browser and the website server.
Getting ZeroSSL certificate
ZeroSSL is a certificate authority (CA) that makes the thing very easy for everyone to install a certificate to make the website secure. You can get up to 3 certificates with 90 days validity in free.
- Sign up with ZeroSSL
- After logging in, the below page will appear. Click on ‘New Certificate.’
- Enter the URL you want to secure and click on the ‘Next Step.’
- Select 90-day certificate and Next
- Let’s proceed with the auto-generate CSR option
- Proceed with the “Free” plan
Next, you’ll need to verify the domain ownership. There are a few options.
- DNS – if you can add a DNS record entry
- Email – if you can receive the email to admin@yourdomain.com
- File Upload – if you can upload a file on the root of the domain
Choose what works for you. I’ll proceed with DNS entry.
- I’ve added the CNAME and ready to verify domain.
- Finally, once verified, the SSL certificate is ready to download.
Here is my downloaded certificates.
Its time to implement it.
Implementing on Apache
The following, I will install Apache on Ubuntu.
Login to server and install using apt-get command.
sudo apt-get install apache2Let’s find out if Apache is running using systemctl command.
root@geekflare-lab:~# systemctl status apache2
● apache2.service - The Apache HTTP Server
Loaded: loaded (/lib/systemd/system/apache2.service; enabled; vendor preset: enabled)
Drop-In: /lib/systemd/system/apache2.service.d
└─apache2-systemd.conf
Active: active (running) since Sat 2020-05-23 16:15:56 UTC; 3s ago
Process: 7852 ExecStop=/usr/sbin/apachectl stop (code=exited, status=0/SUCCESS)
Process: 14179 ExecStart=/usr/sbin/apachectl start (code=exited, status=0/SUCCESS)
Main PID: 14196 (apache2)
Tasks: 55 (limit: 2362)
CGroup: /system.slice/apache2.service
├─14196 /usr/sbin/apache2 -k start
├─14199 /usr/sbin/apache2 -k start
└─14200 /usr/sbin/apache2 -k start
May 23 16:15:56 geekflare-lab systemd[1]: Starting The Apache HTTP Server...
May 23 16:15:56 geekflare-lab apachectl[14179]: AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1. Set the 'Serve
May 23 16:15:56 geekflare-lab systemd[1]: Started The Apache HTTP Server.Great, it is running.
My domain (lab.geekflare.com) is already pointing to this Apache server.
But as you can see, it is not secured, and therefore, we will be configuring the certificate which we got from ZeroSSL.
- Let’s create a directory called
sslCAunder /etc to store the certificate files.
cd /etc
mkdir sslCA- Transfer the files to the newly created folder on the server
root@geekflare-lab:/etc/sslCA# ll
total 20
drwxr-xr-x 2 root root 4096 May 18 12:13 ./
drwxr-xr-x 92 root root 4096 May 22 06:07 ../
-rw-r--r-- 1 root root 2430 May 18 05:37 ca_bundle.crt
-rw-r--r-- 1 root root 2292 May 18 05:37 certificate.crt
-rw-r--r-- 1 root root 1702 May 18 05:37 private.key- Enable SSL module
sudo a2enmod SSL- We will have to restart the webserver so that the changes can be recognized.
sudo service apache2 restart- The next step is to configure the certificate files on the Apache SSL config file.
cd /etc/apache2/mods-available- The name of the file is ssl.conf. We need to add the following in
<VirtualHostdirective.
<VirtualHost _default_:443> SSLEngine on SSLCertificateFile /etc/SSLCA/certificate.crt SSLCertificateKeyFile /etc/SSLCA/private.key SSLCertificateChainFile /etc/SSLCA/ca_bundle.crt</VirtualHost>
- Save the file and exit
:wq!
After performing the restart, the SSL will get enable on the site. Let’s access the site using https://
And, as you can see, “Connection is Sure”. It means that our SSL certificate has been successfully applied to our webserver.
Implementing on Nginx
Nginx is located in Ubuntu’s default repositories, so it’s possible to install it from here using the appropriate packaging system.
- The below command is used for installing the “Nginx”.
sudo apt install nginx- After installation gets success, we can start the Nginx using the below command.
systemctl start nginx- Check the status of Nginx.
root@geekflare-lab:~# systemctl status nginx ● nginx.service - A high performance web server and a reverse proxy server Loaded: loaded (/lib/systemd/system/nginx.service; enabled; vendor preset: enabled) Active: active (running) since Tue 2020-05-19 06:54:00 UTC; 4 days ago Docs: man:nginx(8) Process: 8634 ExecStop=/sbin/start-stop-daemon --quiet --stop --retry QUIT/5 --pidfile /run/nginx.pid (code=exited, status=0/SUCCESS) Process: 8661 ExecStart=/usr/sbin/nginx -g daemon on; master_process on; (code=exited, status=0/SUCCESS) Process: 8653 ExecStartPre=/usr/sbin/nginx -t -q -g daemon on; master_process on; (code=exited, status=0/SUCCESS) Main PID: 8664 (nginx) Tasks: 2 (limit: 2362) CGroup: /system.slice/nginx.service ├─8664 nginx: master process /usr/sbin/nginx -g daemon on; master_process on; └─8707 nginx: worker process May 19 06:54:00 geekflare-lab systemd[1]: Starting A high performance web server and a reverse proxy server... May 19 06:54:00 geekflare-lab systemd[1]: nginx.service: Failed to parse PID from file /run/nginx.pid: Invalid argument May 19 06:54:00 geekflare-lab systemd[1]: Started A high performance web server and a reverse proxy server.
- As expected, the browser will show the warning as a connection to this site is not secure.
Let’s quickly implement the cert to make the site secure using HTTPS.
- Let’s create
example.com.conffile at/etc/nginx/conf.dlocation. The file content will look like the below.
server {
listen 443 SSL default_server;
listen [::]:443 SSL default_server ;
server_name lab.geekflare.com lab.geekflare.com;
root /var/www/html;
}- Now it’s required to add a certificate filename in
nginx.conffile which is located in “/etc/nginx” directory. - Add the following in http directive
ssl_certificate /etc/sslCA/certificate.crt;
ssl_certificate_key /etc/sslCA/private.key;
- Restart Nginx to verify the changes
systemctl restart nginxAnd here we go.
Interested in learning Nginx? Check out this fundamentals course.
Testing SSL/TLS Configuration
The default configuration may be vulnerable, and I strongly suggest testing your site after implementing the certificate. There are a number of online tools you can check out here.
Conclusion
I hope this gives you an idea of getting a certificate from ZeroSSL and implementing it in two most popular web servers.
-
Asad AliAuthor
