Tech Monger

Programming, Web Development and Computer Science.

Skip to main content| Skip to information by topic

Let's Encrypt Static Website on Google Cloud

In this tutorial we will make use of free ssl certificate provided by Lets Encrypt to make website secure by enabling HTTPS. We will install certificate provided by lets encrypt using EFF's certbot client.

Steps to Install Let's Encrypt's Free SSL Certificates

  1. Prerequisite
  2. Enable HTTPS for Google Cloud VM
  3. SSH Google Cloud VM
  4. Backup Apache Configuration Files
  5. Install Certbot Client
  6. Install Certificates with Certbot for Apache
  7. Test HTTPS Connection
  8. Auto Renewal of Certificates

  1. Prerequisites

    2. Before proceeding with this tutorial we assume that you have successfully setup website on google cloud and website is accessible via domain. We also assume that you can ssh your cloud vm either from web browser using google cloud console or by configuring public key based ssh connection from local machine.

  2. Enable HTTPS for Google Cloud VM

    3. Open Google Compute Engine Instance and Select Edit to enable HTTPS traffic.

    Activate HTTPS - Compute Engine Instance
    Enable HTTPS - Firewall Rule

    This will create firewall rule to open port 443 on compute instance and facilitate serving of HTTPS request after certificate installation.

  3. SSH Google Cloud VM

    4. SSH to cloud vm from from your local machine.

    techmonger@ubuntu:~$ ssh 93.184.216.34

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.

techmonger@google-vm:~$

  4. Backup Apache Configuration Files

    5. Before proceeding with certificate installation, it is important to have backup of existing Webserver configuration files. Certificate installation program will modify configuration file during certificate installation. Backing up existing configuration file will give us opportunity to restore old configuration back if anything is not working as expected after certificate installation. 

    $ mkdir /tmp/apache_config_backup/
$ cp -r /etc/apache2/* /tmp/apache_config_backup/

  5. Install Certbot Client

    6. We have created VM instance with Debian OS and will use following commands to install certbot client. However if you have some other OS for your VM then please follow instructions at https://certbot.eff.org to install certbot. 

    $ sudo apt-get install python-certbot-apache -t stretch-backports

  6. Install Certificates with Certbot for Apache

    1. Initiate Certificate Installation Program

      $ sudo certbot --authenticator webroot --installer apache

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer apache

    2. Provide valid Email Address

      Enter email address (used for urgent renewal and security notices)
(Enter 'c' to cancel): techmonger@example.com

    3. Accept (A) Let's Encrypt Terms and Conditions

      Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf.
You must agree in order to register with the ACME server at
https://acme-v01.api.letsencrypt.org/directory
(A)gree/(C)ancel: A

    4. Option to Share Email with EFF. Select (Y/N) depending on your preferences.

      Would you be willing to share your email address with the
Electronic Frontier Foundation, a founding partner of the
Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to
support digital freedom.
(Y)es/(N)o: Y

    5. Domain name to install certificate for. (example.com)

      No names were found in your configuration files.
Please enter in your domain name(s) (comma and/or space separated)
(Enter 'c' to cancel): example.com

Obtaining a new certificate
Performing the following challenges:
http-01 challenge for example.com

    6. Web Server root where website content is stored and accessible.(/var/www/html)

      Input the webroot for example.com:
(Enter 'c' to cancel): /var/www/html

Waiting for verification...
Cleaning up challenges
Created an SSL vhost at
/etc/apache2/sites-available/000-default-le-ssl.conf
Enabled Apache socache_shmcb module
Enabled Apache ssl module
Deploying Certificate to VirtualHost
/etc/apache2/sites-available/000-default-le-ssl.conf
Enabling available site:
/etc/apache2/sites-available/000-default-le-ssl.conf

    7. Option To configure HTTP to HTTPS redirect. Select 1 or 2 depending on whether or not you want to configure redirect.

      Please choose whether or not to redirect HTTP traffic to HTTPS,
removing HTTP access.
-----------------------------------------------------
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access.
Choose this for new sites, or if you're confident your site works on HTTPS
You can undo this change by editing your web server's configuration.
-----------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2

Enabled Apache rewrite module
Redirecting vhost in
/etc/apache2/sites-enabled/000-default.conf to ssl vhost in
/etc/apache2/sites-available/000-default-le-ssl.conf
-----------------------------------------------------

    8. Message for Successful Configuration

      Congratulations! You have successfully enabled https:/example.com

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=example.com

    9. Details about certificate files

      IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/example.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/example.com/privkey.pem
   Your cert will expire on 2018-09-10. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot again
   with the "certonly" option. To non-interactively renew *all* of
   your certificates, run "certbot renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:https://eff.org/donate-le

  7. Test HTTPS Connection

    8. Open website domain in web browser with HTTPS and ensure that website is working as expected. If redirect is configured then check HTTP to HTTPS redirect for webisite pages by opening pages with HTTP in browser.

  8. Auto Renewal of Certificates

    9. By default let's encrypt certificates would expire after 90 days of installation. It is important to have an automated way to renew certificate before expiry date. Certbot does this for you by creating a cron job. Learn more about how certbot auto renew certificates works.

Conclusion

We have installed free Lets encrypt SSL certificates for the static website hosted on google cloud vm. These certificates have been configured for Apache webserver using Certbot client. We have also setup auto renewal of certificates to avoid manual renewal and certificate expiry.

Tagged Under : Certbot Google Cloud Lets Encrypt Linux Open Source Web

Previous Next