Recently I wrote a guide on how to deploy your first web application using apache2 on ubuntu 18.04

Today I will guide you through how to secure your application with free SSL certificate, that means your application will only be accessible via https and not http. I assume you have already deployed your application as described in the previous blog post.

Here are a couple of reasons why you need to secure your site with SSL

• Encrypts sensitive information: This is mostly important for web applications that collect personal information such as emails,phone numbers, password etc because an SSL certificate encrypts the data that goes from a user’s computer to your website and back protecting the data.
• It helps builds trust for your brand: When your website warns visiting users with red flag of insecure site, it spoils your reputation and brand.
• Better search engine ranking: Google has started flagging the web applications without SSL as less secure meaning your application will not rank top of searches even with good search engine optimization (SEO).
• It will help you meet the requirements for your country’s data protection policy. For some applications such as Fin tech, a good SSL certificate and configuration is a requirement you need to pass.

Implementation

We will use LetsEncrypt which is a is a free, automated, and open certificate authority. To easily get the certificate configured, we will use Certbot which is a free, open source software tool for automatically using Let’s Encrypt certificates on manually-administrated websites to enable HTTP.

If you are using another web server or different OS, go to Certbot site and select your configuration and you will be provided with the commands to run. This guide uses apache on ubuntu 18.04 configuration.

Setting Certificates

1. Add the Certbot PPA to your list of repositories

   sudo apt-get update

   sudo apt-get install software-properties-common

   sudo add-apt-repository universe

   sudo add-apt-repository ppa:certbot/certbot

   sudo apt-get update

2. Install Certbot sudo apt-get install certbot python3-certbot-apache

3. Get and install your certificates Run this command to get a certificate and have Certbot edit your Apache configuration automatically to serve it, turning on HTTPS access in a single step. sudo certbot --apache

   Follow through the prompts that are presented during the setup. One important prompt to take note of is: Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access. Choose the second option 2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for new sites.

   This will make sure that all the users trying to access the site from insecure url http://myexampledomain.com will be directed to the secure url https://myexampledomain.com

4. Test automatic renewal The Certbot packages on your system come with a cron job or systemd timer that will renew your certificates automatically before they expire. You will not need to run Certbot again, unless you change your configuration. You can test automatic renewal for your certificates by running this command: sudo certbot renew –dry-run

Testing Configuration

Following the steps above, one major thing happened, a new file is created at /etc/apache2/sites-available/myexampledomain.com-le-ssl.conf . Below are the files content;

	<IfModule mod_ssl.c>
	<VirtualHost *:443>
	     #ServerAdmin: The email address of the admin
	     # ServerName: specifies what hostname must appear in the request's Host: header to match this virtual host. 
	     #ServerAlias: A name that should match as a basename
	     #DocumentRoot: Directory containing the application files
		
	      ServerAdmin [email protected]
	      ServerName myexampledomain.com
	      ServerAlias www.myexampledomain.com
	      DocumentRoot /var/www/myexampledomain.com   
		     
	     #Custom error log files. Renaming them like this helps you identify errors ifyou have a probllem loading your web app.
	     ErrorLog ${APACHE_LOG_DIR}/myexampledomain_error.log
	     CustomLog ${APACHE_LOG_DIR}/myexampledomain_access.log combined

	SSLCertificateFile /etc/letsencrypt/live/myexampledomain.com/fullchain.pem
	SSLCertificateKeyFile /etc/letsencrypt/live/myexampledomain.com/privkey.pem
	Include /etc/letsencrypt/options-ssl-apache.conf
	</VirtualHost>
	</IfModule>

Also the original /etc/apache2/sites-available/myexampledomain.com.conf was edited at the bottom to include force re-direction to secured url with the following content.

    RewriteEngine on
	RewriteCond %{SERVER_NAME} =myexampledomain.com
	RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

After the above step, visit your site on the browser myexampledomain.com you should see a secure lock on your tab. When you click on it and then select certificate, you will see the certificate was issued by Let's Encrypt. If you don’t see that, try the accessing the url on an incognito window or clear your browser cache.

Next go to SSLABS and test how well you have configured your server. A grade will be awarded for your configuration. The goal is to get the highest grade possible meaning your configuration is correct. One very common error that you may come across is;

myexampledomain.com redirected you too many times, ERR_TOO_MANY_REDIRECTS

Here is how to solve it:

If you are using cloudflare, go to the SSL/TLS tab and change the setting from whatever it is to Your SSL/TLS encryption mode is Full (strict) option.

If the error persists, check inside the newly created ssl file _/etc/apache2/sites-available/myexampledomain.com-le-ssl.conf _and make sure you do not have any re-direct command inside the file.

With this configuration I got a rating of** B **by ssllabs mainly because of support low protocols.

If you want to try and improve the grade you can use this blog to get an understanding on the configurations to do.

This will include selecting a strong SSL cipher suite as well as disabling all old and unsafe protocols less than TLS 1.2.

The steps on getting an A or A+ rating will be in my next blog, so stay tuned.