SSL Certificate Setup: Secure Your Website with HTTPS

Introduction to SSL/TLS Certificates

SSL (Secure Sockets Layer) and TLS (Transport Layer Security) certificates are essential for securing web traffic and protecting user data. This comprehensive guide will walk you through setting up SSL certificates using various methods, with a focus on Let's Encrypt for free certificates.

Why SSL/TLS is Important

• Data Encryption: Protects sensitive information during transmission
• Authentication: Verifies the identity of your website
• Trust: Builds user confidence with the padlock icon
• SEO Benefits: Google favors HTTPS websites in search rankings
• Compliance: Required for PCI DSS and other security standards
• Modern Features: Required for HTTP/2, service workers, and PWAs

Types of SSL Certificates

By Validation Level

• Domain Validated (DV): Basic validation, suitable for most websites
• Organization Validated (OV): Additional business verification
• Extended Validation (EV): Highest level of validation with green address bar

By Coverage

• Single Domain: Covers one specific domain
• Wildcard: Covers domain and all subdomains (*.example.com)
• Multi-Domain (SAN): Covers multiple different domains

Let's Encrypt Setup with Certbot

Installing Certbot

# Ubuntu/Debian
sudo apt update
sudo apt install -y certbot python3-certbot-nginx

# CentOS/RHEL 8+
sudo dnf install -y certbot python3-certbot-nginx

# CentOS/RHEL 7
sudo yum install -y certbot python2-certbot-nginx

Nginx Configuration

First, ensure your Nginx server block is configured correctly:

# /etc/nginx/sites-available/example.com
server {
    listen 80;
    server_name example.com www.example.com;
    
    location / {
        proxy_pass http://localhost:3000;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
    
    # Let's Encrypt challenge location
    location /.well-known/acme-challenge/ {
        root /var/www/html;
    }
}

# Enable the site
sudo ln -s /etc/nginx/sites-available/example.com /etc/nginx/sites-enabled/
sudo nginx -t
sudo systemctl reload nginx

Obtaining SSL Certificate

# Automatic Nginx configuration
sudo certbot --nginx -d example.com -d www.example.com

# Manual certificate generation
sudo certbot certonly --webroot -w /var/www/html -d example.com -d www.example.com

# For multiple domains
sudo certbot --nginx -d example.com -d www.example.com -d api.example.com -d admin.example.com

Manual Nginx Configuration

If you prefer to configure Nginx manually:

# /etc/nginx/sites-available/example.com
server {
    listen 80;
    server_name example.com www.example.com;
    return 301 https://$server_name$request_uri;
}

server {
    listen 443 ssl http2;
    server_name example.com www.example.com;

    # SSL Configuration
    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
    
    # SSL Security Settings
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA;
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 10m;
    
    # HSTS (HTTP Strict Transport Security)
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
    
    # Other security headers
    add_header X-Frame-Options DENY;
    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1; mode=block";
    add_header Referrer-Policy "strict-origin-when-cross-origin";

    location / {
        proxy_pass http://localhost:3000;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

Apache Configuration

Installing Certbot for Apache

# Ubuntu/Debian
sudo apt install -y certbot python3-certbot-apache

# CentOS/RHEL
sudo yum install -y certbot python2-certbot-apache

Obtaining Certificate for Apache

# Automatic Apache configuration
sudo certbot --apache -d example.com -d www.example.com

# Manual certificate only
sudo certbot certonly --apache -d example.com -d www.example.com

Manual Apache Virtual Host

# /etc/apache2/sites-available/example.com-ssl.conf

    ServerName example.com
    ServerAlias www.example.com
    DocumentRoot /var/www/html

    SSLEngine on
    SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
    
    # SSL Security Configuration
    SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
    SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384
    SSLHonorCipherOrder off
    SSLSessionTickets off
    
    # HSTS
    Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
    
    # Security Headers
    Header always set X-Frame-Options DENY
    Header always set X-Content-Type-Options nosniff


# Redirect HTTP to HTTPS

    ServerName example.com
    ServerAlias www.example.com
    Redirect permanent / https://example.com/

Automatic Certificate Renewal

Setting Up Auto-Renewal

# Test renewal process
sudo certbot renew --dry-run

# Check current crontab
sudo crontab -l

# Add renewal cron job
sudo crontab -e

# Add this line for daily checks at 2 AM
0 2 * * * /usr/bin/certbot renew --quiet --post-hook "systemctl reload nginx"

Systemd Timer (Alternative to Cron)

# Check if certbot timer is enabled
sudo systemctl list-timers | grep certbot

# Enable certbot timer
sudo systemctl enable certbot.timer
sudo systemctl start certbot.timer

# Check timer status
sudo systemctl status certbot.timer

Wildcard Certificates

DNS Challenge Method

# Install DNS plugin (example for Cloudflare)
sudo apt install -y python3-certbot-dns-cloudflare

# Create credentials file
sudo mkdir -p /etc/letsencrypt/
sudo nano /etc/letsencrypt/cloudflare.ini

# Add your Cloudflare credentials
dns_cloudflare_email = your-email@example.com
dns_cloudflare_api_key = your-global-api-key

# Secure the credentials file
sudo chmod 600 /etc/letsencrypt/cloudflare.ini

# Obtain wildcard certificate
sudo certbot certonly \
  --dns-cloudflare \
  --dns-cloudflare-credentials /etc/letsencrypt/cloudflare.ini \
  -d example.com \
  -d *.example.com

Custom SSL Certificates

Self-Signed Certificates (Development Only)

# Generate private key
sudo openssl genrsa -out example.com.key 2048

# Generate certificate signing request
sudo openssl req -new -key example.com.key -out example.com.csr

# Generate self-signed certificate
sudo openssl x509 -req -days 365 -in example.com.csr -signkey example.com.key -out example.com.crt

# Combine for full chain
sudo cat example.com.crt > example.com.fullchain.pem

Commercial Certificate Installation

# If you have a commercial certificate, place files in appropriate directories
sudo mkdir -p /etc/ssl/certs/
sudo mkdir -p /etc/ssl/private/

# Copy certificate files
sudo cp example.com.crt /etc/ssl/certs/
sudo cp example.com.key /etc/ssl/private/
sudo cp intermediate.crt /etc/ssl/certs/

# Set proper permissions
sudo chmod 644 /etc/ssl/certs/example.com.crt
sudo chmod 600 /etc/ssl/private/example.com.key

SSL Testing and Validation

Command Line Testing

# Test SSL connection
openssl s_client -connect example.com:443 -servername example.com

# Check certificate expiration
openssl s_client -connect example.com:443 -servername example.com 2>/dev/null | openssl x509 -noout -dates

# Test specific TLS version
openssl s_client -connect example.com:443 -tls1_2

Online Testing Tools

• SSL Labs: https://www.ssllabs.com/ssltest/
• SSL Checker: https://www.sslchecker.com/
• Certificate Transparency: https://crt.sh/

Troubleshooting Common Issues

Certificate Not Trusted

• Ensure intermediate certificates are included
• Check certificate chain order
• Verify domain name matches certificate

Mixed Content Warnings

• Update all HTTP resources to HTTPS
• Use protocol-relative URLs (//example.com/resource)
• Implement Content Security Policy

Renewal Failures

• Check DNS resolution
• Verify web server is running
• Ensure .well-known directory is accessible
• Check firewall settings

Security Best Practices

Strong SSL Configuration

• Use TLS 1.2 and 1.3 only
• Disable weak ciphers
• Enable Perfect Forward Secrecy
• Implement HSTS
• Use OCSP stapling

Additional Security Headers

# Nginx security headers
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
add_header X-Frame-Options DENY always;
add_header X-Content-Type-Options nosniff always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Content-Security-Policy "default-src 'self'" always;

Monitoring and Maintenance

Certificate Expiration Monitoring

# Script to check certificate expiration
#!/bin/bash
DOMAIN="example.com"
EXPIRY_DATE=$(openssl s_client -connect $DOMAIN:443 -servername $DOMAIN 2>/dev/null | openssl x509 -noout -enddate | cut -d= -f2)
EXPIRY_EPOCH=$(date -d "$EXPIRY_DATE" +%s)
CURRENT_EPOCH=$(date +%s)
DAYS_UNTIL_EXPIRY=$(( (EXPIRY_EPOCH - CURRENT_EPOCH) / 86400 ))

if [ $DAYS_UNTIL_EXPIRY -lt 30 ]; then
    echo "Certificate expires in $DAYS_UNTIL_EXPIRY days!"
    # Send alert notification
fi

Conclusion

Implementing SSL/TLS certificates is crucial for website security and user trust. Let's Encrypt provides an excellent free solution for most use cases, while commercial certificates may be necessary for specific business requirements. Regular monitoring and maintenance ensure your certificates remain valid and secure.

Need help with SSL setup? Contact RexZ Cloud support for assistance with SSL certificate installation and configuration on your hosting account.