Easy SSL Encryption with Certbot

If you're reading this post on NixMash.com and look up to the address bar you'll see a lovely Secure designation and a web address starting with https://.

https address

When I began investigating how to add SSL to my websites I was overwhelmed with the various configuration options based on the type of website and web server. Was it Apache? Jetty? Embedded? Using Spring?

I needed to encrypt traffic to two different sites, both are Java Jars running Embedded Jetty, one is built with Bootique and the other Spring Boot. Both run at ports configured with the Apache2 Proxy Module. I described that setup in this NixMash Post.

What Type of Certificate and From Where?

The first question was what type of certificates did I need and from where should I get them? I read about OpenSSL and KeyTool utilities to create self-signing certificates in Linux but since my sites were public facing I needed a certificate from a trusted certificate authority.

There were lots of places to buy certificates at a decent price, but then I discovered Certbot from the Electronic Freedom Foundation for managing Let's Encrypt Certificates. Free, easy to install, and as you can see, does the job beautifully!

Installing Certbot on the Development Server

For starters, let's talk about adding SSL to http://localhost or a local development site, say, http://nixmash. It's natural to start here, to get a feel for the process before duplicating the setup on your Cloud Server or VPS.

Let me save you some time: it ain't gonna happen. Certificates are only valid for public sites. Go straight to your Public Server's command line and enter to following.

$ sudo apt-get update
$ sudo apt-get install software-properties-common
$ sudo add-apt-repository ppa:certbot/certbot
$ sudo apt-get update
$ sudo apt-get install certbot

Since my sites are executable Java Jars with embedded Jetty running at ports redirected with Apache Proxy Module, we need to add the Certbot Apache Plugin.

$ sudo apt-get install python-certbot-apache

Certbot Configuration

What's beautiful about this approach is that the encryption takes place between the browser and the Apache Server. Apache handles all of the encryption work, and Certbot handles all of the Apache Configuration! No changes required in the Bootique YAML config or Spring application.settings files. No listeners required in Spring to make sure Certificates are up-to-date, no Jetty sslContextFactory to code, just Certbot and Apache. In fact, with the Certbot Apache Module, you can create and renew certificates with no downtime to Apache or any of your sites.

Adding a Let's Encrypt Certificate to a website is really complicated. Here it is:

$ sudo certbot --apache

Haha. That was a setup. Ridiculously simple. Here's a tip though, when prompted for which sites to create a certificate for chose only ONE DOMAIN. nixmash.com and www.nixmash.com are fine, but not nixmash.com and someotherdomain.com. One Certificate per site for cleanliness.

What the Configuration Does

The Certbot Apache Plugin does two things for you. First it adds SSL redirects in the site's .conf file. Those are the last 3 lines shown here.

It also creates an SSL configuration file in your Apache /sites-available directory for each site. Using NixMash as example, the name of the new nixmash.com SSL .conf file would be nixmash.com-le-ssl.conf. The main function of the -le-ssl.conf file is to list the location of the site's certificate info.

Let's Encrypt Certificate Renewal

Certificates expire and need renewed periodically. Let's Encrypt Certificates must be renewed every 6 months. If you read about the Certbot renew process you'll probably see a lot about different strategies depending on your web server and Java framework. Most of these strategies require creating a cron job that runs every day or so. Here again we'll let Certbot do the work for us, because the Apache Plugin has already created a renewal cron job for us! It is shown below and as you can see runs every 12 hours. When at the end of 6 months and the renew check finds that the Certificate is near expiration, a new one is created and applied automatically. And with no downtime to Apache or your websites!

0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(3600))' && certbot -q renew

Happy Endings

Like I said at the top, going in cold on SSL Certificates can be overwhelming, but as we've seen here, thanks to Certbot and the Electronic Freedom Foundation, adding encryption couldn't be easier.