How to Convert a Website from HTTP to HTTPS

An http website is not encrypted. That is to say, the data comprising the site is not encrypted as it flows from the web server to the device (pc, phone, tablet) on which the user is viewing the page. Anyone able to “listen in” on the network could read that data, which is a security risk. An https web site is different. Data is encrypted. The web server encrypts each web page before transmission, and the user’s browser decrypts it, providing end-to-end protection from eavesdropping.

This article explains how to convert an existing basic website to https by obtaining a free digital certificate from Let’s Encrypt. It is based on a Raspberry Pi running the “Apache” web server, but will also work on other Linux systems. It is intended for home users and people running small-scale web sites, and as a learning aid.

Note: Before using this procedure, your website must already be up and running (under http), it must have a domain name and it must be visible from the Internet. You should also be comfortable with editing and copying text files. If you don’t have a website, this article explains how to set one up on a Raspberry Pi.

Note: Your website will be off line, at least briefly, while this procedure is carried out.

Note: At the successful conclusion of this procedure, the URL for your site will have changed. It will start with “https:” instead of “http:”. If you are running a large scale or commercial site, please consider this eventuality carefully. Links that point to your site now will no longer work after the change. If you are using a content management system such as WordPress, it will also need a small reconfiguration to tell it about the new URL.

The Certificate

The functioning of an https website is based around an SSL/TLS certificate. This is a small file located on the web server containing security information. There is another small file too, containing a key that goes with the certificate. The two files work to identify the server to the user and provide encryption of the web data.

Moving a site from http to https is really just a matter of obtaining a certificate, configuring it into Apache and then restarting Apache.

Ways of Getting a Certificate

There are three main ways to get a valid certificate.

  • Create your own certificate
  • Buy certificate from a provider such as of 123-reg or Comodo
  • Obtain a free certificate from the Let’s Encrypt project.

The first option, Creating your own certificate is quite easily done using a few openssl commands. Many procedures on the Internet show how to do this, and I am not going to detail it here. The drawback with a “self signed” certificate is that although it will encrypt your web site, it will also cause a large warning to be displayed in the user’s browser. The warning will say that your certificate is self signed and, therefore, that your site ought not to be trusted. The web page will not even be displayed at all until the user has acknowledged this and other warnings. Self signed certificates are really only suitable for testing.

Buying a certificate is the second option. Certificates of various levels can be purchased. After buying a certificate, you must undergo a vetting process with the seller. They will verify who you are (and your Company, if applicable). The higher the level of the certificate, the more expensive it is, and the longer the vetting process. Cheapest are certificates offering “DV”, Domain Verification. Owning a DV level certificate really just proves that you control the wen site, and little vetting is involved. The next level up is “OV”, or “Organization Verification”. Applying to companies, it proves that your company is real, is what it claims to be, and can be trusted. The OV vetting process is quite long an can involve letters, phone calls. Even higher levels of trust are represented by EV, Enterprise Verification, and the vetting process is correspondingly lengthy.

In this procedure, the website will be secured with a Letsencrypt Certificate. Letsencrypt is a Certificate Authority that issues free digital certificates. It is also a non-profit project setup with the aim of improving security on the Internet by increasing the number of sites using https. You can read more about Letencrypt elsewhere.

Obtain The Letencrypt Certificate

Letsencrypt certificates offer “DV” class verification. Using such a certificate will prove that you own your domain name and control your website. In order to verify that, the Letencrypt project will give you a token to put under your website, and they will then read that token over the Internet, using your domain name.

The whole process is done with a single command called “certbot“. Proceed as follows.

Install certbot:

raspberrypi$ sudo apt-get update
raspberrypi$ sudo apt-get install python-certbot-apache

The installation will take a couple of minutes and several other packages will be installed.

Now run certbot in “certonly” mode, using the following example as a guide. It will ask a number of questions which you must answer appropriately. In answer to the first question “How would you like to authenticate with the ACME CA?”, answer option 2 (place files in a webroot directory). Answer other questions as below.

– Enter your email address as requested.
– Enter “a” to accept the terms of service.
– Enter your domain name as requested.
– Enter “1” to confirm the selection of “webroot”.
– Enter “/var/www/html/<your domain name>” when asked for a webroot.

So if your domain name were “unixetc.co.uk”, you would answer the last question “/var/www/html/unixetc.co.uk”, the default location of your website root under Apache.

The new certificate will be generated, verified and saved to your Pi under the new directory /etc/letsencrypt.

raspberrypi$ sudo certbot certonly

Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate with the ACME CA?
-------------------------------------------------------------------------------
1: Apache Web Server plugin - Beta (apache)
2: Place files in webroot directory (webroot)
3: Spin up a temporary webserver (standalone)
-------------------------------------------------------------------------------
Select the appropriate number [1-3] then [enter] (press 'c' to cancel): 2
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel):

-------------------------------------------------------------------------------
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v01.api.letsencrypt.org/directory
-------------------------------------------------------------------------------
(A)gree/(C)ancel: a
Please enter in your domain name(s) (comma and/or space separated)  (Enter 'c'
to cancel):
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for 

Select the webroot for :
-------------------------------------------------------------------------------
1: Enter a new webroot
-------------------------------------------------------------------------------
Press 1 [enter] to confirm the selection (press 'c' to cancel): 1
Input the webroot for : (Enter 'c' to cancel):/var/www/html/<your domain name>
Waiting for verification...
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/0000_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0000_csr-certbot.pem

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/<your domain name>/fullchain.pem. Your cert
   will expire on 2018-07-06. To obtain a new or tweaked version of
   this certificate in the future, simply run certbot again. To
   non-interactively renew *all* of your certificates, run "certbot
   renew"
 - If you lose your account credentials, you can recover through
   e-mails sent to <your email address>
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

The new certificate is under the new directory /etc/letsencrypt, with a few other files, as explained in the file /etc/letsencrypt/live/<your domain name>/README:

`privkey.pem` : the private key for your certificate.
`fullchain.pem`: the certificate file used in most server software.
`chain.pem` : used for OCSP stapling in Nginx >=1.3.7.
`cert.pem` : will break many server configurations, and should not be used
without reading further documentation (see link below).

Install the Certificate

Copy the new certificate, and its accompanying key file, into place:

raspberrypi$ sudo cp /etc/letsencrypt/live/<your domain name>/fullchain.pem /etc/ssl/certs/<your domain name>.fullchain.pem
raspberrypi$ sudo cp /etc/letsencrypt/live/<your domain name>/privkey.pem /etc/ssl/private/<your domain name>.privkey.pem

So if I were securing a site called unixetc.co.uk, I would type:

raspberrypi$ sudo cp /etc/letsencrypt/live/unixetc.co.uk/fullchain.pem /etc/ssl/certs/unixetc.co.uk.fullchain.pem
raspberrypi$ sudo cp /etc/letsencrypt/live/unixetc.co.uk/privkey.pem /etc/ssl/private/unixetc.co.uk.privkey.pem

Reconfigure Apache

It is time to tell the Apache web server to use the new certificate and serve your site as https.
Up to now, there has been no change to your current website. Before making any changes, we will take a copy of the configuration file. This will allow all changes to be easily undone later on, if required. Back up your site’s present configuration file as follows.

raspberrypi$ cd /etc/apache2/sites-available
raspberrypi$ cp unixetc.co.uk.conf unixetc.co.uk.conf.save

Now proceed to change the configuration. Using your favourite editor, modify the Apache configuration file for your site. This will normally be in /etc/apache2/sites-available/<your domain name>.conf. Make a copy of the file first, just in case you need to go back. If I were securing the site unixetc.co.uk, I would first make a copy, then edit the configuration file with vi as follows:

raspberrypi$ sudo vi unixetc.co.uk.conf

Somewhere near the top of the file will be a line

<VirtualHost *:80>

Change it to

<VirtualHost *:443>

Then, within that VirtualHost section, add these 3 lines.  The last two point to your newly installed certificate and key files.

SSLEngine on
SSLCertificateFile /etc/ssl/certs/<your domain name>.fullchain.pem
SSLCertificateKeyFile /etc/ssl/private/<your domain name>.privkey.pem

…and save the file.

Now, make sure that the Apache SSL module is enabled.  Proceed as follows.

raspberrypi$  sudo a2enmod ssl

A few messages about dependent modules might be printed.

Finally, restart the Apache web server:

raspberrypi$ sudo service apache2 restart

Forward the HTTPS Port from your Router

You should log into your routers admin page and make sure that port 443 is forwarded to your Pi (web server). (Port 80 will already be forwarded, as your site was already available as http). The exact procedure depends on what model of router you have, but it should not be difficult.

Test the Secured Site

Surf to your website, using https:// rather than http://. The site should appear as normal, but with a green padlock in the address bar (or similar, depending on which browser you are using). The green padlock confirms that the site is encrypted with a valid certificate. By clicking on the padlock, you can see more information. In particular, you should see a message saying “Verified by: Let’s Encrypt“, or similar.

Notes

  • After completing the procedure above, your site will be on a new https:// address and will no longer be available under the the old http:// address. Links to your site will no longer work. If this causes a problem and you want to revert back, see the last point below.
  • It is possible to have both http and https versions of the site available. Although it may be undesirable because search engines might then be indexing your site under two names. To implement, put both the http and https Apache configurations in the same configuration file and restart apache. It might be as simple as concatenating the old file onto the end of the new one, but it depends on your files and is beyond the scope of this article.
  • If you are using a content management system like WordPress, GetSimple or similar, it might be necessary to edit that software’s configuration and tell it about the address change. For example in WordPress, you must change the “WordPress Address” and “Site Address” under Settings -%gt;General. And this must be done before carrying out the procedure above. If you need to revert back to make the change, see the last point below.
  • If you want to reverse the above procedure, and put your site back to how it was, under http://, use the backup file created above. Replace the edited file with the saved one, for example, if I had secured my site unixetc.co.uk and then wanted to move it back, perhaps because of a technical problem, I would execute the following commands:
    raspberrypi$ cd /etc/apache2/sites-available
    raspberrypi$ cp unixetc.co.uk.conf unixetc.co.uk.conf.new
    raspberrypi$ cp unixetc.co.uk.conf.save unixetc.co.uk.conf
    raspberrypi$ service apache2 restart

    …and the site would reappear exactly as before.

Thanks for reading. I hope this article has been reasonably clear and not too fiddly.

3 thoughts on “How to Convert a Website from HTTP to HTTPS

  1. Pingback: Automatic Nextcloud Installation on Raspberry Pi | Unix etc.

  2. Pingback: Install WordPress Blog on Raspberry Pi | Unix etc.

  3. Pingback: Simple Nextcloud Installation on Raspberry Pi | Unix etc.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.