Tech Monger

Programming, Web Development and Computer Science.

Skip to main content| Skip to information by topic

Let's Encrypt Static Website on Google Cloud

In this tutorial we will make use of free ssl certificate provided by Lets Encrypt to make website secure by enabling HTTPS. We will install certificate provided by lets encrypt using EFF's certbot client.


Steps to Install Let's Encrypt's Free SSL Certificates


  1. Prerequisites
  2. Before proceeding with this tutorial we assume that you have successfully setup website on google cloud and website is accessible via domain. We also assume that you can ssh your cloud vm either from web browser using google cloud console or by configuring public key based ssh connection from local machine.


  3. Enable HTTPS for Google Cloud VM
  4. Open Google Compute Engine Instance and Select Edit to enable HTTPS traffic.

    Activate HTTPS - Compute Engine Instance
    Enable HTTPS - Firewall Rule

    This will create firewall rule to open port 443 on compute instance and facilitate serving of HTTPS request after certificate installation.


  5. SSH Google Cloud VM
  6. SSH to cloud vm from from your local machine.

    techmonger@ubuntu:~$ ssh 93.184.216.34
    
    The programs included with the Debian GNU/Linux system are free software;
    the exact distribution terms for each program are described in the
    individual files in /usr/share/doc/*/copyright.
    
    Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
    permitted by applicable law.
    
    techmonger@google-vm:~$
    

  7. Backup Apache Configuration Files
  8. Before proceeding with certificate installation, it is important to have backup of existing Webserver configuration files. Certificate installation program will modify configuration file during certificate installation. Backing up existing configuration file will give us opportunity to restore old configuration back if anything is not working as expected after certificate installation.

    $ mkdir /tmp/apache_config_backup/
    $ cp -r /etc/apache2/* /tmp/apache_config_backup/
    

  9. Install Certbot Client
  10. We have created VM instance with Debian OS and will use following commands to install certbot client. However if you have some other OS for your VM then please follow instructions at https://certbot.eff.org to install certbot.

    $ sudo apt-get install python-certbot-apache -t stretch-backports
    

  11. Install Certificates with Certbot for Apache
    1. Initiate Certificate Installation Program

      $ sudo certbot --authenticator webroot --installer apache
      
      Saving debug log to /var/log/letsencrypt/letsencrypt.log
      Plugins selected: Authenticator webroot, Installer apache
      
    2. Provide valid Email Address

      Enter email address (used for urgent renewal and security notices)
      (Enter 'c' to cancel): techmonger@example.com
      
      
    3. Accept (A) Let's Encrypt Terms and Conditions

      Please read the Terms of Service at
      https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf.
      You must agree in order to register with the ACME server at
      https://acme-v01.api.letsencrypt.org/directory
      (A)gree/(C)ancel: A
      
      
    4. Option to Share Email with EFF. Select (Y/N) depending on your preferences.

      Would you be willing to share your email address with the
      Electronic Frontier Foundation, a founding partner of the
      Let's Encrypt project and the non-profit organization that
      develops Certbot? We'd like to send you email about our work
      encrypting the web, EFF news, campaigns, and ways to
      support digital freedom.
      (Y)es/(N)o: Y
      
      
    5. Domain name to install certificate for. (example.com)

      No names were found in your configuration files.
      Please enter in your domain name(s) (comma and/or space separated)
      (Enter 'c' to cancel): example.com
      
      Obtaining a new certificate
      Performing the following challenges:
      http-01 challenge for example.com
      
    6. Web Server root where website content is stored and accessible.(/var/www/html)

      Input the webroot for example.com:
      (Enter 'c' to cancel): /var/www/html
      
      Waiting for verification...
      Cleaning up challenges
      Created an SSL vhost at
      /etc/apache2/sites-available/000-default-le-ssl.conf
      Enabled Apache socache_shmcb module
      Enabled Apache ssl module
      Deploying Certificate to VirtualHost
      /etc/apache2/sites-available/000-default-le-ssl.conf
      Enabling available site:
      /etc/apache2/sites-available/000-default-le-ssl.conf
      
    7. Option To configure HTTP to HTTPS redirect. Select 1 or 2 depending on whether or not you want to configure redirect.

      Please choose whether or not to redirect HTTP traffic to HTTPS,
      removing HTTP access.
      -----------------------------------------------------
      1: No redirect - Make no further changes to the webserver configuration.
      2: Redirect - Make all requests redirect to secure HTTPS access.
      Choose this for new sites, or if you're confident your site works on HTTPS
      You can undo this change by editing your web server's configuration.
      -----------------------------------------------------
      Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
      
      Enabled Apache rewrite module
      Redirecting vhost in
      /etc/apache2/sites-enabled/000-default.conf to ssl vhost in
      /etc/apache2/sites-available/000-default-le-ssl.conf
      -----------------------------------------------------
      
    8. Message for Successful Configuration

      Congratulations! You have successfully enabled https:/example.com
      
      You should test your configuration at:
      https://www.ssllabs.com/ssltest/analyze.html?d=example.com
      
    9. Details about certificate files

      IMPORTANT NOTES:
       - Congratulations! Your certificate and chain have been saved at:
         /etc/letsencrypt/live/example.com/fullchain.pem
         Your key file has been saved at:
         /etc/letsencrypt/live/example.com/privkey.pem
         Your cert will expire on 2018-09-10. To obtain a new or tweaked
         version of this certificate in the future, simply run certbot again
         with the "certonly" option. To non-interactively renew *all* of
         your certificates, run "certbot renew"
       - Your account credentials have been saved in your Certbot
         configuration directory at /etc/letsencrypt. You should make a
         secure backup of this folder now. This configuration directory will
         also contain certificates and private keys obtained by Certbot so
         making regular backups of this folder is ideal.
       - If you like Certbot, please consider supporting our work by:
      
         Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
         Donating to EFF:https://eff.org/donate-le
      

  12. Test HTTPS Connection
  13. Open website domain in web browser with HTTPS and ensure that website is working as expected. If redirect is configured then check HTTP to HTTPS redirect for webisite pages by opening pages with HTTP in browser.


  14. Auto Renewal of Certificates
  15. By default let's encrypt certificates would expire after 90 days of installation. It is important to have an automated way to renew certificate before expiry date. Certbot does this for you by creating a cron job. Learn more about how certbot auto renew certificates works.


Conclusion

We have installed free Lets encrypt SSL certificates for the static website hosted on google cloud vm. These certificates have been configured for Apache webserver using Certbot client. We have also setup auto renewal of certificates to avoid manual renewal and certificate expiry.

Tagged Under : Certbot Google Cloud Lets Encrypt Linux Open Source Web