How to Set Up an HTTPS Image Server
Adam C. |

Setting up an https for your website becomes a standard those days. Instead of paying $65+ every year with GoDaddy, we can get a free SSL/TLS with Let's encrypt.

A nonprofit Certificate Authority providing TLS certificates to 225 million websites.

Confused about SSL/TLS vs HTTPS? You may checkout this great article explaining this, and below is a summary:

  1. SSL stands for 'Secure Sockets Layer', which is deprecated now.
  2. TLS stands for 'Transport Layer Security', which is the new protocol for secured encryption on the web maintained by IETF.
  3. When that exchange of data is encrypted with SSL/TLS, then we call it HTTPS.
Photo by: Markus Spiske

In this tutorial, we will cover how to set up an HTTPs image server (https://images.deniapps.com) by installing Let's Encrypt FREE TLS certificates on Ubuntu 16.04/18.04/20.04 with Apache. 

1. SSH to your server

ssh root@1.2.3.4 //use root, or any user with sudo privileges.

2. Add Certbot PPA

You'll need to add the Certbot PPA to your list of repositories. To do so, run the following commands on the command line on the machine:

sudo apt-get update
sudo apt-get install software-properties-common
sudo add-apt-repository universe
sudo add-apt-repository ppa:certbot/certbot //no need for Ubuntu 20.04
sudo apt-get update

* For Ubuntu 20.04, you may not need to add 'ppa:certbot/certbot'.

3. Install Certbot

Run this command on the command line on the machine to install Certbot.

sudo apt-get install certbot python3-certbot-apache

4. Update DNS

Go to your domain provider, in my case, GoDaddy, to update DNS record, i.e. add A record by pointing “images” to the server's IP, like this:

5. Run Certbot to Get a Certificate

sudo certbot certonly --apache -d images.deniapps.com

You will be told where your certificates are saved, usually it's under:

/etc/letsencrypt/live/YOUR-DOMAIN-NAME/

6. Renewal

Since certificates from Let’s Encrypt are only valid for 90 days. We should renew before it's expired by running this command:

sudo certbot renew

You can make this automatically by adding this to your cronjob, for example:

43 6 1 * * certbot renew //run it the first on of each month at 6:43 am

7. Set Up Virtual Host

Make a web folder for images site, for example: /var/www/images. And then create a Apache configuration File under /etc/apache2/site-avaiable, for example, images.deniapps.com.conf, with the following contents:

<IfModule mod_ssl.c>
<VirtualHost *:443>
  ServerAdmin webmaster@localhost
  ServerName images.deniapps.com
  ServerAlias www.images.deniapps.com
  DocumentRoot /var/www/images
  ErrorLog ${APACHE_LOG_DIR}/error.log
  CustomLog ${APACHE_LOG_DIR}/access.log combined
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/images.deniapps.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/images.deniapps.com/privkey.pem
</VirtualHost>
</IfModule>

Then, enable your config by running this command:

sudo a2ensite images.deniapps.com

Then, you should test your config by running this command: 

sudo apachectl configtest

When you see Syntax OK, you can run reload the Apache2 to make it live:

sudo /etc/init.d/apache2 reload

You are all set. Check it out at https://images.deniapps.com

Final notes

  • You can have multiple subdomains sharing the same certificate by adding more domains in Step 5:
sudo certbot certonly --apache -d images.deniapps.com -d files.deniapps.com
  • Let's Encrypt supports wildcard, but before you choose this, make sure your DNS provider has some kind of API to update TXT records for your domain so you could automate the process to get a wildcard cert. Otherwise, you will need to manually validate the TXT record, i.e., _acme-challenge. every 90 days, which is super annoying. - Since you can run Cerbot anything to get a certificate for your next subdomain, I would say no bother this.
  • Installing Let's Encrypt Certification on Nginx is similar, but you would need to restart Nginx after renewing your certification. To fix this, you may add /etc/letsencrypt/cli.ini:
deploy-hook = systemctl reload nginx

Reference: https://certbot.eff.org/

Updates

Dec 28, 2023

Migrating certificates from one server to another presents difficulties, mainly due to symbolic links in the live folder that reference the latest certificates in the archive folder. When transferring files from the LetsEncrypt folder, it's crucial to ensure the copy includes the symbolic links, not just the actual files. This step is vital for successful certificate renewal later on.

In case of issues, if the configuration becomes disrupted, follow these steps to regenerate the certificate:

  1. Disable the site configuration: sudo a2dissite SITE
  2. Run Certbot to add the certificate: sudo certbot certonly --apache -d YOUR_DOMAIN
  3. Enable the site configuration: sudo a2ensite SITE
  4. Reload Apache to apply the changes: sudo systemctl reload apache2