In this step-by-step tutorial, we’ll walk you through how to secure your server with a free SSH certificate from Let’s Encrypt. We recommend that you follow along on your own server for practice. If you don’t have a server of your own, you can use DigitalOcean instead. The first thing we’ll do is check whether our server is already configured to use HTTPS and redirect HTTP traffic to HTTPS automatically (for example by adding an “HTTPS Redirect Line” to the VirtualHost file in Apache).
Add a free SSL certificate to your SSH server.
Having a free SSL certificate will make your website more secure and trustworthy. You can get one from Let’s Encrypt. You’ll need some program or tool to handle the Let’s Encrypt renewal process. Fortunately, we have many options to choose from. One of the most popular options is the easy-to-use program (Empathy) from the Apache Foundation. Another is the excellent utility (Certbot) from network security provider WoT Trust Labs. Let’s go through them both. (Apache)
Let’s Encrypt provides free certificates for all supported servers including Ubuntu, MacOS, and Microsoft Windows.
Follow the guide to find out what needs to be updated on your server along with producing the certificate. (Certbot) Certbot enables you to generate trusted, EV certificate authority certificates, auto-renew certificates with the approximately five-day delivery window, and remove all certificates already issued to your name. You can now generate trust links for your web server’s domain. We’ll start by adding the certificate to the Let’s Encrypt authorities.
- Log into your web server’s management interface and go to the More Details tab.
- Click on the button marked “Add Certificates…” to view your certificates.
- To add a certificate, click “Add…” and fill out the information in the following fields:
- Once you’ve entered all the information, click “Authority Information” and uncheck “Use trusted certificates — Private key not required” and then click “Save.”
- Then return to the “Details” tab and click the button marked “GenerateCLI command” to generate the Let’s Encrypt command.
- The command should look similar to the following: (Using Touch/Face ID to unlock your iPhone with your face) Next, go to Settings > Code Control > Security & Copy where you can (optionally) lock your phone with Face ID by (optionally) entering your phone’s Touch ID or Face ID passcode.
Use Let’s Encrypt to secure your SSH server for free!
I use Let’s Encrypt to secure my SSH server which is hosted on Digital Ocean. You can use this guide to install Let’s Encrypt on your Linux server. Once you have installed Let’s Encrypt, you can use these commands to generate a certificate for your server. In a terminal window, run these commands. (At the prompt, substitute your domain name or IP address with the hostname of your choice.) Enter the following command, where is the name of your Let’s Encrypt certificate authority. Your certificate is now complete!
- You can use these commands to access your server securely while signed in. Consult your server’s IP address (usually it is 192.168.2.1) in the logs for the request sent to your server.
- This request will probably look something like this: Replace “127.0.0.1” with the hostname of your server. This is the URL that the browser will use to get to your server. Replace “https://” (with a forward slash) with the address of your SSL certificate.
- Save and close the file you just edited. You’ll want to log out and back in before you finish deploying the changes.
- In your web browser, go to the “Server Test Page” and see if your server is already properly secured.
- To check, you can use this tool, the output of which should include the green “Secure” status. To verify the change works, come back to your server and try visiting the address in your browser.
- Your HTTPS connection should be there: Your final SSH configuration is almost complete.
We now need to add behavior for the user who logs in to the server. We do this by creating the ~/.profile file, which will contain commands loaded at log-in.
- To do this, open the file editor by typing, and then entering the following: When you are done, save and exit. This will add the necessary lines to the top of your.profile file.
- We’ll now add the required lines to the bottom of our file as well. These are: Now, your.
Configure your VirtualHost file and test your configuration
You can configure your VirtualHost file to test your configuration, and it will help you to see if your configuration is working correctly.
- Go to C:\Program Files\Apache Software Foundation\Apache2.2\conf and open the httpd.conf file with Notepad.
- If you’ve used Windows 7, this will open in the Notepad application in the Task Manager. Otherwise, open Notepad on your computer’s main window.
- Copy and paste the text in the URL box into Notepad.
- Then press CTRL + C to copy the text, and then press CTRL + V to paste it into the new command-line window.
- When you’re done setting up your server with the certificate, it’s time to remove it.
- Open up your web browser, and type in the following to navigate to your Ngrok installation:
- After you’ve navigated to your installation, you can log in with the username and password you set up. (If you’re using Windows 10, you have to install VirtualBox as well.)
- The first time you log in, you’ll be asked to create “my domain” and “my Private Email.” We’ll ignore these for right now.
- Now, press the button to Create Domain, and in the dialog that opens, enter the domain name you want to give your server.
- If you’re logging in from another computer on your local network, you can copy and paste the domain into Whois, which can be found by running the following command:
- You should see your domain listed here under the contact page. Press the button to Create Private Email, and replace “nyc.example.com” with your actual Gmail address.
- (You may have to create a second account for this.) If everything worked correctly, you will now see the following screen: (If you actually set up your domain name as part of the tutorial, you can see that your domain is up and running at https://my-domain-1.example.com.
- This URL is a pre-selected example, but the same thing will happen if you try to access it in Chrome.
Set up auto-renewal of your SSL certificate
You should set up an auto-renewal of your SSL certificate so that you don’t have to worry about it. If you use a company like Cloudflare or Amazon Web Services, they’ll renew it for you for free. If you use a hosting company, make sure you have auto-renewal set up. Make sure you have the SSH client installed and open a new terminal or command prompt.
Run the following command: You should see output that looks like the below. This is the certificate being used by your server to secure it. If your server looks anything different, you can get the details from the certificate’s Info page. At the bottom, it’s written that the server is being served from “NameVirtualHost 188.8.131.52:80”. You don’t have to copy and paste this exact route. Let’s make it more secure by adding a virtual host route to the VirtualHost config in Apache, as shown below.
The following command will add the new route to the VirtualHost file on your Apache server.
- Now let’s create an SSL cert and generate a key. Run the following command: You should see something similar to the below, with a Success response about the key’s creation.
- You’ll now have your certificate and key files on the server, ready to be used.
- Replace the IP address of your Apache server with 184.108.40.206. Before you can SSH into your server, you need to know your server’s IP address.
- The easiest way is to find out the IP address of your Raspberry Pi using this tool at WhatIsMyIP. To SSH into your Pi, simply type (or copy and paste) the IP address of your server into the terminal.
- For example, if your Raspberry Pi’s IP address is 192.168.2.6, you would type: Once you’ve entered the IP address of your server, you should get a connection prompt asking you for a password to use as the User ID.
- Type in the default administrator password (that’s what we used in Step 3)