Cara mengamankan Situs Web Anda dengan Let's Encrypt di Ubuntu 20.04

Ayo Enkripsi adalah otoritas sertifikat nirlaba (CA) yang menyediakan sertifikat SSL/TLS gratis. Let's Encrypt memungkinkan Anda untuk menginstal atau meminta sertifikat SSL secara gratis. Sertifikat SSL/TLS oleh Let's Encrypt memiliki validitas 90 hari dan Anda dapat memperbaruinya kapan saja juga secara gratis.

Dalam tutorial ini kita akan menggunakan Certbot untuk meminta atau mendapatkan sertifikat SSL gratis dari Let's Encrypt.

Certbot adalah klien Let's Encrypt yang mengelola sertifikat SSL Let's Encrypt. Klien Let's Encrypt berfitur lengkap yang dapat mengotomatiskan tugas, memperoleh, dan memperbarui sertifikat SSL.

Mari kita lanjutkan dengan langkah-langkah tentang cara mengamankan situs web kita dengan Let's Encrypt.

1 Prasyarat

Let's Encrypt SSL/TLS certificate hanya dapat diinstal pada server dengan nama domain terdaftar. Anda perlu memastikan bahwa catatan Domain A Anda diarahkan ke server Anda karena Let's Encrypt perlu memvalidasi domain jika diarahkan dengan benar ke server tempat Anda meminta untuk mendapatkan sertifikat SSL.

2 Memasang Certbot

Di bagian ini kami akan memandu Anda tentang cara menginstal Certbot dengan Apache dan Nginx Webserver.

Untuk server web Apache.

sudo apt install certbot python3-certbot-apache

Untuk server web Nginx.

sudo apt install certbot python3-certbot-nginx

3 Membuat Sertifikat SSL

Untuk server web Apache.

 sudo certbot --apache

Setelah memulai perintah, ikuti instruksi di bawah ini.

Output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): [email protected]

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: A

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: domain.com
2: www.domain.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1,2

Kami memilih 1 dan 2 untuk subdomain www untuk disertakan dalam sertifikat SSL.

Catatan :Anda dapat memilih jika tidak ingin menyertakan subdomain www, cukup pilih 1 dan tekan enter.

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel):2

Redirecting vhost in /etc/apache2/sites-enabled/domain.com.conf to ssl vhost in /etc/apache2/sites-available/domain.com-le-ssl.conf

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled https://domain.com
You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=domain.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/domain.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/domain.com/privkey.pem
   Your cert will expire on 2022-03-05. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot again
   with the "certonly" option. To non-interactively renew *all* of
   your certificates, run "certbot renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Untuk server Web Nginx.

sudo  certbot --nginx

OUTPUT:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Enter email address (used for urgent renewal and security notices)
 (Enter 'c' to cancel): [email protected]

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server. Do you agree?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y
Account registered.

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: domain.com
2: www.domain.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1,2
Requesting a certificate for domain.com

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/domain.com/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/domain.com/privkey.pem
This certificate expires on 2022-07-28.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.

Deploying certificate
Successfully deployed certificate for domain.com to /etc/nginx/sites-enabled/domain.com.conf
Congratulations! You have successfully enabled HTTPS on https://domain.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
 * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 * Donating to EFF:                    https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Itu dia selamat!

4 Uji sertifikat SSL

Setelah instalasi, Anda dapat memverifikasi apakah sertifikat SSL diinstal di situs web Anda hanya dengan mengaksesnya dengan https://domain.com. Anda juga dapat memverifikasinya dengan menggunakan situs web Pemeriksa SSL seperti https://www.sslshopper.com/ssl-checker.html.

5 Pembaruan Sertifikat SSL

Saat Anda memasang Certbot itu akan secara otomatis mengatur skrip pembaruan otomatis karena Let's Encrypt hanya berlaku dalam 90 hari atau 3 bulan. Untuk memeriksa apakah skrip perpanjangan otomatis berjalan, jalankan perintah ini.

systemctl status certbot.timer

● certbot.timer - Run certbot twice daily
     Loaded: loaded (/lib/systemd/system/certbot.timer; enabled; vendor preset: enabled)
     Active: active (waiting) since Sun 2021-12-05 13:33:10 EST; 45min ago
    Trigger: Mon 2021-12-06 00:10:45 EST; 9h left
   Triggers: ● certbot.service

Dec 05 13:33:10 domain.com systemd[1]: Started Run certbot twice daily.

Certbot timer akan berjalan dua kali sehari untuk memeriksa apakah ada domain yang siap untuk diperpanjang.

Ada kasus bahwa penghitung waktu Certbot gagal memperbarui domain tepat waktu yang menyebabkan sertifikat kedaluwarsa. Dalam hal ini Anda dapat memperbarui domain secara manual dengan menjalankan perintah ini.

sudo certbot renew

Anda juga dapat melakukan dry run pembaruan untuk menguji apakah pembaruan SSL berfungsi seperti yang diharapkan. Untuk melakukannya, jalankan perintah ini.

sudo certbot renew --dry-run

6 Kesimpulan

Kami telah menunjukkan cara mengamankan situs kami menggunakan sertifikat SSL Let's Encrypt. Dalam tutorial ini Anda juga dapat mempelajari cara menggunakan Certbot untuk memperbarui dan mendapatkan sertifikat SSL Let's Encrypt gratis.

Jika Anda ingin mempelajari lebih lanjut tentang cara mengamankan server Anda, Anda dapat memeriksa tutorial fail2ban.