Setting Up HTTPS (SSL/TLS) Using Let's Encrypt

1. What this lecture is about and why it's important

In the modern world, HTTPS has already become the standard for all websites. If you want your users to feel safe and Google to not lower your site's ranking in search results (yup, HTTPS impacts SEO), you simply have to set up SSL/TLS. The HTTPS protocol protects the data transmitted between the user and the server through encryption, preventing it from being intercepted by attackers.

In this lecture, we'll break down step by step how to set up HTTPS for your web server for free using Let's Encrypt. Let's Encrypt is a trusted Certificate Authority (CA) that provides free certificates and tools for their setup. We'll also learn how to automatically renew our certificates to avoid the headache of them expiring.

HTTP vs HTTPS

HTTP (Hypertext Transfer Protocol) — is a data transfer protocol. It's great for browsing cat memes, BUT! If someone connects to your Wi-Fi network (like in a coffee shop), they could intercept the data you're sending to the server (yikes, your password becomes "their password").

HTTPS (Hypertext Transfer Protocol Secure) — is the encrypted version of HTTP. The data transferred between the client and the server is secured using SSL/TLS (Secure Sockets Layer / Transport Layer Security). Attackers can no longer see the contents of "data packets," even if they manage to intercept them.

---

2. Installing Let's Encrypt and Certbot

Certbot is a tool from the Let's Encrypt team that makes it super easy to get and set up SSL certificates for your web server. It's smart enough to work directly with Nginx or Apache, handling all the dirty work for us. Let's start with the installation.

Installing Certbot

Make sure your server is up-to-date:

sudo apt-get update
sudo apt-get upgrade

Now, let's install Certbot and its plugins:

• For Nginx:

  sudo apt-get install certbot python3-certbot-nginx
  

• For Apache:

  sudo apt-get install certbot python3-certbot-apache
  

---

3. Getting an SSL Certificate Using Certbot

For Nginx

Certbot can automatically set up HTTPS for your site if you're using Nginx. Enter:

sudo certbot --nginx

Certbot will scan your current virtual hosts (server blocks in the configuration). It'll ask which domain you want to set up HTTPS for. Make sure the domain points to your server via DNS (e.g., using an A record).

Example output:

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: example.com
2: www.example.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Select your domain (e.g., 1).

Certbot will automatically configure your Nginx settings and validate them. Once the installation is successful, you’ll see a message like this:

Congratulations! Your certificate and chain have been saved ...

Your site is now available over HTTPS. You can check this by opening https://example.com in your browser.

---

For Apache

If you're using Apache, the command will look a bit different:

sudo certbot --apache

Certbot will also scan your virtual hosts (<VirtualHost> blocks) and offer to set up HTTPS for your chosen domains. Select the ones you need, and Certbot will handle everything for you.

After the process is complete, you'll again see a congratulations message and can check your site's availability via HTTPS.

---

4. Automatic Certificate Renewal

Let's Encrypt certificates are valid for only 90 days, so they need to be regularly renewed. Certbot can do this automatically, but we need to make sure everything is set up correctly.

Checking Certificate Expiration Dates

You can check when your certificate expires:

sudo certbot certificates

The output will show your domains and the expiration dates of their certificates.

Setting Up Automatic Renewal

During installation, Certbot automatically adds a task to Cron or a Systemd Timer for checking updates. If you want to ensure everything works, add a test task in Cron:

sudo crontab -e

Add the following line:

0 0 * * * certbot renew --quiet

This command checks and renews certificates daily at midnight. The --quiet flag suppresses unnecessary output.

Manual Renewal

If you want to renew certificates manually (e.g., for testing), use:

sudo certbot renew

---

5. Enabling automatic HTTP → HTTPS redirection

Your site might still be accessible via HTTP, but that's not safe. Let's configure automatic redirection of all requests to HTTPS.

For Nginx

Certbot can automatically configure redirection when issuing the certificate. If you didn't enable this earlier, add the redirection manually to your virtual host configuration file:

server {
    listen 80;
    server_name example.com www.example.com;

    return 301 https://$host$request_uri;
}

Restart Nginx to apply the changes:

sudo systemctl restart nginx

For Apache

Certbot also offers to enable redirections automatically. If you skipped this step, add this to your virtual host file:

<VirtualHost *:80>
    ServerName example.com
    Redirect permanent / https://example.com/
</VirtualHost>

Restart Apache:

sudo systemctl restart apache2

---

6. Debugging Errors

If something goes wrong, start by checking the logs:

For Nginx

sudo tail -f /var/log/nginx/error.log

For Apache

sudo tail -f /var/log/apache2/error.log

Testing Configuration

Also, check your web server configuration:

• For Nginx:

  sudo nginx -t
  

• For Apache:

  sudo apachectl configtest
  

Checking HTTPS

Make sure your site is accessible via HTTPS:

curl -I https://example.com

You should see a 200 OK status and a Strict-Transport-Security string, which means HTTPS is working.

Now you're ready to create secure, protected HTTPS websites. Your users will be happy, Google will be happy, and you’ll sleep soundly at night knowing your data is safe from the villains of the internet.