An http website is not encrypted. That is to say, the data comprising the site is not encrypted as it flows from the web server to the device (pc, phone, tablet) on which the user is viewing the page. Anyone able to “listen in” on the network could read that data, which is a security risk. An https web site is different. Data is encrypted. The web server encrypts each web page before transmission, and the user’s browser decrypts it, providing end-to-end protection from eavesdropping.
This article explains how to convert an existing basic website to https by obtaining a free digital certificate from Let’s Encrypt. It is based on a Raspberry Pi running the “Apache” web server, but will also work on other Linux systems. It is intended for home users and people running small-scale web sites, and as a learning aid.
Note: Before using this procedure, your website must already be up and running (under http), it must have a domain name and it must be visible from the Internet. You should also be comfortable with editing and copying text files. If you don’t have a website, this article explains how to set one up on a Raspberry Pi.
Note: Your website will be off line, at least briefly, while this procedure is carried out.
Note: At the successful conclusion of this procedure, the URL for your site will have changed. It will start with “https:” instead of “http:”. If you are running a large scale or commercial site, please consider this eventuality carefully. Links that point to your site now will no longer work after the change. If you are using a content management system such as WordPress, it will also need a small reconfiguration to tell it about the new URL.
The Certificate
The functioning of an https website is based around an SSL/TLS certificate. This is a small file located on the web server containing security information. There is another small file too, containing a key that goes with the certificate. The two files work to identify the server to the user and provide encryption of the web data.
Moving a site from http to https is really just a matter of obtaining a certificate, configuring it into Apache and then restarting Apache.
Ways of Getting a Certificate
There are three main ways to get a valid certificate.
- Create your own certificate
- Buy certificate from a provider such as of 123-reg or Comodo
- Obtain a free certificate from the Let’s Encrypt project.
The first option, Creating your own certificate is quite easily done using a few openssl commands. Many procedures on the Internet show how to do this, and I am not going to detail it here. The drawback with a “self signed” certificate is that although it will encrypt your web site, it will also cause a large warning to be displayed in the user’s browser. The warning will say that your certificate is self signed and, therefore, that your site ought not to be trusted. The web page will not even be displayed at all until the user has acknowledged this and other warnings. Self signed certificates are really only suitable for testing.
Buying a certificate is the second option. Certificates of various levels can be purchased. After buying a certificate, you must undergo a vetting process with the seller. They will verify who you are (and your Company, if applicable). The higher the level of the certificate, the more expensive it is, and the longer the vetting process. Cheapest are certificates offering “DV”, Domain Verification. Owning a DV level certificate really just proves that you control the wen site, and little vetting is involved. The next level up is “OV”, or “Organization Verification”. Applying to companies, it proves that your company is real, is what it claims to be, and can be trusted. The OV vetting process is quite long an can involve letters, phone calls. Even higher levels of trust are represented by EV, Enterprise Verification, and the vetting process is correspondingly lengthy.
In this procedure, the website will be secured with a Letsencrypt Certificate. Letsencrypt is a Certificate Authority that issues free digital certificates. It is also a non-profit project setup with the aim of improving security on the Internet by increasing the number of sites using https. You can read more about Letencrypt elsewhere.
Obtain The Letencrypt Certificate
Letsencrypt certificates offer “DV” class verification. Using such a certificate will prove that you own your domain name and control your website. In order to verify that, the Letencrypt project will give you a token to put under your website, and they will then read that token over the Internet, using your domain name.
The whole process is done with a single command called “certbot“. Proceed as follows.
Install certbot:
raspberrypi$ sudo apt-get update raspberrypi$ sudo apt-get install python-certbot-apache
The installation will take a couple of minutes and several other packages will be installed.
Now run certbot in “certonly” mode, using the following example as a guide. It will ask a number of questions which you must answer appropriately. In answer to the first question “How would you like to authenticate with the ACME CA?”, answer option 3 (place files in a webroot directory). Then answer other questions as below.
- Enter your email address as requested.
- Enter “a” to accept the terms of service.
- Enter “y” or “n” to join the mailing list, or not, as you prefer.
- Enter your domain name as requested.
- Enter “/var/www/html/<your domain name>” when asked for a webroot.
So if your domain name were “unixetc.co.uk”, you would answer the last question “/var/www/html/unixetc.co.uk”, the default location of your website root under Apache.
The new certificate will be generated, verified and saved to your Pi under the new directory /etc/letsencrypt.
raspberrypi$ sudo certbot certonly Saving debug log to /var/log/letsencrypt/letsencrypt.log How would you like to authenticate with the ACME CA? ------------------------------------------------------------------------------- 1: Apache Web Server plugin - Beta (apache) 2: Place files in webroot directory (webroot) 3: Spin up a temporary webserver (standalone) ------------------------------------------------------------------------------- Select the appropriate number [1-3] then [enter] (press 'c' to cancel): 2 Enter email address (used for urgent renewal and security notices) (Enter 'c' to cancel): ------------------------------------------------------------------------------- Please read the Terms of Service at https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must agree in order to register with the ACME server at https://acme-v01.api.letsencrypt.org/directory ------------------------------------------------------------------------------- (A)gree/(C)ancel: a Please enter in your domain name(s) (comma and/or space separated) (Enter 'c' to cancel): Obtaining a new certificate Performing the following challenges: http-01 challenge for Select the webroot for : ------------------------------------------------------------------------------- 1: Enter a new webroot ------------------------------------------------------------------------------- Press 1 [enter] to confirm the selection (press 'c' to cancel): 1 Input the webroot for : (Enter 'c' to cancel):/var/www/html/<your domain name> Waiting for verification... Cleaning up challenges Generating key (2048 bits): /etc/letsencrypt/keys/0000_key-certbot.pem Creating CSR: /etc/letsencrypt/csr/0000_csr-certbot.pem IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at /etc/letsencrypt/live/<your domain name>/fullchain.pem. Your cert will expire on 2018-07-06. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew" - If you lose your account credentials, you can recover through e-mails sent to <your email address> - Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal. - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
The new certificate is under the new directory /etc/letsencrypt, with a few other files, as explained in the file /etc/letsencrypt/live/<your domain name>/README:
`privkey.pem` : the private key for your certificate.
`fullchain.pem`: the certificate file used in most server software.
`chain.pem` : used for OCSP stapling in Nginx >=1.3.7.
`cert.pem` : will break many server configurations, and should not be used
without reading further documentation (see link below).
Install the Certificate
Copy the new certificate, and its accompanying key file, into place:
raspberrypi$ sudo cp /etc/letsencrypt/live/<your domain name>/fullchain.pem /etc/ssl/certs/<your domain name>.fullchain.pem raspberrypi$ sudo cp /etc/letsencrypt/live/<your domain name>/privkey.pem /etc/ssl/private/<your domain name>.privkey.pem
So if I were securing a site called unixetc.co.uk, I would type:
raspberrypi$ sudo cp /etc/letsencrypt/live/unixetc.co.uk/fullchain.pem /etc/ssl/certs/unixetc.co.uk.fullchain.pem raspberrypi$ sudo cp /etc/letsencrypt/live/unixetc.co.uk/privkey.pem /etc/ssl/private/unixetc.co.uk.privkey.pem
Reconfigure Apache
It is time to tell the Apache web server to use the new certificate and serve your site as https.
Up to now, there has been no change to your current website. Before making any changes, we will take a copy of the configuration file. This will allow all changes to be easily undone later on, if required. Back up your site’s present configuration file as follows.
raspberrypi$ cd /etc/apache2/sites-available raspberrypi$ cp unixetc.co.uk.conf unixetc.co.uk.conf.save
Now proceed to change the configuration. Using your favourite editor, modify the Apache configuration file for your site. This will normally be in /etc/apache2/sites-available/<your domain name>.conf. Make a copy of the file first, just in case you need to go back. If I were securing the site unixetc.co.uk, I would first make a copy, then edit the configuration file with vi as follows:
raspberrypi$ sudo vi unixetc.co.uk.conf
Somewhere near the top of the file will be a line
<VirtualHost *:80>
Change it to
<VirtualHost *:443>
Then, within that VirtualHost section, add these 3 lines. The last two point to your newly installed certificate and key files.
SSLEngine on
SSLCertificateFile /etc/ssl/certs/<your domain name>.fullchain.pem
SSLCertificateKeyFile /etc/ssl/private/<your domain name>.privkey.pem
…and save the file.
Now, make sure that the Apache SSL module is enabled. Proceed as follows.
raspberrypi$ sudo a2enmod ssl
A few messages about dependent modules might be printed.
Finally, restart the Apache web server:
raspberrypi$ sudo service apache2 restart
Forward the HTTPS Port from your Router
You should log into your routers admin page and make sure that port 443 is forwarded to your Pi (web server). (Port 80 will already be forwarded, as your site was already available as http). The exact procedure depends on what model of router you have, but it should not be difficult.
Test the Secured Site
Surf to your website, using https:// rather than http://. The site should appear as normal, but with a green padlock in the address bar (or similar, depending on which browser you are using). The green padlock confirms that the site is encrypted with a valid certificate. By clicking on the padlock, you can see more information. In particular, you should see a message saying “Verified by: Let’s Encrypt“, or similar.
Notes
- After completing the procedure above, your site will be on a new https:// address and will no longer be available under the the old http:// address. Links to your site will no longer work. If this causes a problem and you want to revert back, see the last point below.
- It is possible to have both http and https versions of the site available. Although it may be undesirable because search engines might then be indexing your site under two names. To implement, put both the http and https Apache configurations in the same configuration file and restart apache. It might be as simple as concatenating the old file onto the end of the new one, but it depends on your files and is beyond the scope of this article.
- If you are using a content management system like WordPress, GetSimple or similar, it might be necessary to edit that software’s configuration and tell it about the address change. For example in WordPress, you must change the “WordPress Address” and “Site Address” under Settings -%gt;General. And this must be done before carrying out the procedure above. If you need to revert back to make the change, see the last point below.
- If you want to reverse the above procedure, and put your site back to how it was, under http://, use the backup file created above. Replace the edited file with the saved one, for example, if I had secured my site unixetc.co.uk and then wanted to move it back, perhaps because of a technical problem, I would execute the following commands:
raspberrypi$ cd /etc/apache2/sites-available raspberrypi$ cp unixetc.co.uk.conf unixetc.co.uk.conf.new raspberrypi$ cp unixetc.co.uk.conf.save unixetc.co.uk.conf raspberrypi$ service apache2 restart
…and the site would reappear exactly as before.
Thanks for reading. I hope this article has been reasonably clear and not too fiddly.
Pingback: Automatic Nextcloud Installation on Raspberry Pi | Unix etc.
Pingback: Install WordPress Blog on Raspberry Pi | Unix etc.
Pingback: Simple Nextcloud Installation on Raspberry Pi | Unix etc.
Hi, somehow I get an “access through untrusted domain” error when I try logging into nextcloud using: myip/nextcloud
I looked one some forums and they point to this:
https://docs.nextcloud.com/server/14/admin_manual/installation/installation_wizard.html#trusted-domains
Im trying to edit this using this command line:
nano /var/nextcloud/config/config.php
but I get an access denied. How am I supposed to edit this? why did this start?
Hi Josh, I am not sure how to help, as your comment is a little confusing. First, it does not seem to relate to the above article. You might be referring to another article in this site called Simple Nextcloud Installation on Raspberry Pi. Secondly, even that article does not mention anything about editing the config.php file.
I am not sure what procedure you have been following, so it is difficult to offer help. However, if you want to edit the config.php file, you will need to use “sudo” as it is a secure file. Try “sudo nano /var/nextcloud/config/config.php”.
Hi.
First thanks for your help.
I arrived here after “Simple Nextcloud Installation on Raspberry Pi” to create https but when I check the option “Place files in webroot…”, certbot ask me about my domain name, I put “nextcloud” and then: “An unexpected error occurred:
Error creating new order :: Cannot issue for “nextcloud”: DNS name does not have enough labels”
I understand that the problem is that nextcloud is not the name of the domain.
Can you help me?
Thanks,
Hi Rafa. “Nextcloud” is not a domain name. A domain name is a string uniquely identifying your website on the Internet. Before starting the above procedure, you must register a domain name and point it to your IP address. For more information, Google “domain name” or “buy domain name”.
Cheers,
Jim.
A note for some who might come across this error when using certbot.
The error I got was this: “Failed authorization procedure.” Along with the requested resource. I followed [this earlier tutorial](http://unixetc.co.uk/2017/06/04/using-a-domain-name-with-a-raspberry-pi-web-server/) to set up the server with a domain name, but when editing the “webdemo.dtdns.net.conf” file (or the one with my real domain name), I had to also change the “DocumentRoot” from “/var/www/html” to “/var/www/html/webdemo.dtdns.net”.
That way the apache server’s default root directory stays at “/var/www/html”, but for the website available on “webdemo.dtdns.net”, the root directory is the other one, and also the same as mentioned in the tutorial above, where it says to input the webroot directory “/var/www/html/”.
Hi Lars. The article above and the other procedure are not designed to work together as a single configuration, but I can see why you have done it, and well done for making them work together.
Jim
Hi, my domain name comes with a free wildcard DV level SSL cert. I can download it to my laptop from the domain registar’s control panel but I’m not sure how to go about installing it on my apache web server. When I download the certificate I get a single file in .cer format. I can also download an intermediate certificate which is also a single file in .cer format. Any help on this would be really appreciated.
Hi Jonathan, I don’t know the answer, but your certificate provider should give instructions on how to deal with the .cer file and install it into your web server. Cheers, Jim.
Thanks for the response Jim, I realise the info provided was pretty sparse. As it happens my domain registrar (who provided the cert) were no help at all (I suspect I was speaking to a sales rep who was just trying to sell me stuff rather than technocal support) but I do think I have managed a workaround. I haven’t gotten so far as to fully test it yet but for the benefit of anyone who finds themselves in a similar situation I got my certificate reissued which gave me access to the private key. I then downloaded the .cer file, transferred it to the rPi and used open ssl to convert from .cer to.crt witht he following command
openssl x509 -inform PEM -in [filepath]/[certificate-name].cert -out [desired-certificate-name].crt
I then popped the cert and key in /etc/ssl/certs and /etc/ssl/keys respectively.
Hi Jonathan. Glad you got it working and thanks for coming back with the answer. Jim