Enable HTTPS Using Free ZeroSSL Certificates for Linux Admins

Launched in 2018, ZeroSSL emerged as an alternative SSL certificate provider focused on providing domain-validated (DV) certificates for free to individuals, developers, and small businesses.

As an automated certificate authority, ZeroSSL issues browser-trusted SSL certificates for HTTPS encryption within minutes through an easy-to-use API. This enables any website or application to enable HTTPS and SSL/TLS encryption for secure connections.

Some key features of ZeroSSL certificates include:

• Completely free SSL certificates with unlimited issuance and no account required.

• Automated validation and issuance processes for obtaining SSL certificates almost instantly.

• Trusted by all major browsers and devices for enabling HTTPS and encrypting connections.

• Supports wildcard certificates and allows securing multiple subdomains.

• 90-day certificate lifetime with automated renewal and reissuance processes.

• Friendly customer support by the CodeNotary team.

With its focus on ease-of-use and automated workflows, ZeroSSL aims to make HTTPS security accessible for everyone through free SSL certificates.

Why Use ZeroSSL?

ZeroSSL has emerged as a popular choice for open-source enthusiasts looking to enable HTTPS on their websites and web applications. There are several key reasons why admins and developers opt for ZeroSSL certificates over other SSL providers:

• Free SSL certificates - ZeroSSL provides free TLS/SSL certificates with unlimited validity and wildcards at no cost. This makes ZeroSSL one of the only providers offering completely free certificates ideal for personal projects, testing environments, intranets, and more.

• Automatic renewal - Once the certificate is installed, ZeroSSL handles renewing it automatically before expiration so you don't have to worry about any disruptions. The renewal process happens seamlessly in the background.

• Easy installation - Installing ZeroSSL certificates follows a simple and straightforward process across all major platforms like Apache, Nginx, HAProxy and more. The detailed documentation makes the installation easy even for beginners.

The combination of being free, automated, and easy to install makes ZeroSSL a top choice among the open-source and self-hosted communities. For developers and administrators managing multiple sites and applications, the convenience of ZeroSSL can be invaluable.

Prerequisites

Before installing a ZeroSSL certificate, you'll need to have a few things set up:

• Domain name: You'll need a registered domain name that points to your web server's IP address. This is the domain name that your SSL certificate will be issued for.

• Web server installed: ZeroSSL certificates can be installed on any web server software like Apache, Nginx, IIS, etc. So you'll need to have your web server already set up and running on your server. The web server should be accessible from the internet on port 80 and 443.

Generating a Certificate

To generate an SSL certificate with ZeroSSL, we'll use the certbot tool. Certbot is an automatic client that fetches and deploys SSL/TLS certificates for your web server.

First, install certbot on your Linux system if you don't already have it:

sudo apt install certbot

Once certbot is installed, you can generate your certificate by running:

sudo certbot certonly --manual

Certbot will prompt you to enter your domain name and validate domain control. You must add some DNS TXT records to prove you own the domain.

After providing your domain details, certbot will communicate with the ZeroSSL API to generate your certificate. The certificate files will be saved to /etc/letsencrypt/live/yourdomain/.

The key part is proving domain ownership to ZeroSSL via DNS validation. As long as you can add the necessary TXT records to your DNS zone, you can generate SSL certificates for any domains you own.

Installing the Certificate

Once you've generated your certificate using ZeroSSL, it's time to install it on your server. This will allow your site to be served over HTTPS using the SSL certificate you obtained.

To install the certificate, we'll use the Certbot tool. Certbot is a popular automatic certificate installation and renewal tool provided by Let's Encrypt. Here are the steps:

1. Run the certbot command, specifying the path to your certificate and key files:

sudo certbot certonly --cert-path /path/to/cert.pem --key-path /path/to/privkey.pem

2. Certbot will install the certificate in the correct location on your server. By default, Certbot places certificates in /etc/letsencrypt/live/your-domain/.

3. Once installed, your certificate and private key will be available in the following locations:

   • /etc/letsencrypt/live/your-domain/fullchain.pem - Certificate file
   • /etc/letsencrypt/live/your-domain/privkey.pem - Private key

4. Certbot also handles automatically configuring your web server (Apache, Nginx, etc) to use the new certificate.

That covers the key steps for installing your ZeroSSL certificate using the Certbot tool. The certificate will now be active and enable HTTPS for your website using the trust of Let's Encrypt.

Verifying the Installation

Once the certificate is installed, verifying everything works properly is important. Here are a couple ways to confirm your site is now being served over HTTPS with the new SSL certificate:

Checking HTTPS

Use the curl command to check that your website is returning content over HTTPS:

curl -I 

Look for a 200 OK response code and confirm the page is served over HTTPS.

Testing on Browser

Simply navigate to your website URL in a browser, making sure to use https://. The browser should show a lock icon and identify the domain as secure. You can click the lock to inspect the certificate details and confirm it matches the one you installed.

Try accessing some pages on the site to verify they are all loading securely over HTTPS without any certificate warnings or errors being shown.

Renewing the Certificate

Certificates issued by ZeroSSL are valid for 90 days, after which you'll need to renew them to maintain valid HTTPS encryption. There are a couple ways to renew your certificate:

Automatic Renewal

ZeroSSL supports auto-renewal of certificates through ACME clients like Certbot. If you used Certbot to generate and install your certificate initially, it can automatically renew it when it nears expiration.

Certbot runs twice daily in the background to check certificate expiration. If a certificate is within 30 days of expiring, Certbot will automatically renew it. This ensures your certificate stays valid and your site remains securely encrypted.

Manual Renewal

You can also manually renew your ZeroSSL certificate by regenerating and reinstalling it. The steps are the same as the initial installation:

1. Go to your ZeroSSL Dashboard and log in.
2. Under 'Certificates', click the 'Download' button next to the expiring certificate.
3. This will generate a new 90-day certificate with the same domains as before.
4. Install the new certificate on your web server, replacing the expiring certificate.
5. Restart the web server process so it uses the renewed certificate.

Manually renewing ensures you get a fresh 90-day certificate. However, automatic renewal through ACME clients like Certbot is usually more convenient.

Revoking the Certificate

There may come a time when you need to revoke your ZeroSSL certificate. The most common reasons to revoke a certificate are:

• Your private key has been compromised. If your private key is exposed, revoking the certificate immediately is important so an attacker can't use it.

• You're migrating to a new certificate. When migrating to a new certificate for the same domain, it's best practice to revoke the old certificate.

• Your domain ownership has changed. If you no longer control the domain tied to the certificate, you should revoke it.

• The certificate contains inaccurate information. If any information in the certificate becomes inaccurate, like the domain name or company details, it should be revoked.

Revoking a certificate is easy with ZeroSSL. Just log into your ZeroSSL account and go to the "Certificates" section. Find the certificate you want to revoke, click the actions menu, and select "Revoke Certificate."

ZeroSSL will immediately revoke the certificate and be added to certificate revocation lists (CRLs). This prevents the certificate from being trusted by browsers and other software.

When you revoke a certificate, it's important to replace it immediately to avoid downtime for your website or application. Be sure to generate and install a new certificate before revoking the old one.

Overall, revoking certificates when appropriate helps maintain the security of your website and prevents misuse. ZeroSSL makes it simple to both obtain and revoke free SSL certificates.

Troubleshooting Issues

If you encounter any errors during the ZeroSSL installation and configuration process, here are some common issues and debugging steps to try:

Browser not trusting the certificate

• Ensure the certificate files are in the correct location for your web server. For Nginx this is usually /etc/ssl/certs.
• Check that the certificate file permissions allow the webserver to read the files.
• Confirm that your server configuration properly specifies the certificate and key file paths.
• Try clearing your browser's SSL cache and restarting the browser.

Certificate not renewing automatically

• Check your cronjob configuration to renew the cert. Make sure the cron script can execute and has the proper permissions.
• If using auto-renewal with Certbot, verify it is installed and configured correctly.
• Manually run the renewal command as root/sudo to see if it works when executed directly.

Web server not listening on HTTPS

• Double-check that the web server configuration specifies a valid SSL certificate.
• Confirm that an HTTPS/SSL listening port is enabled and not being blocked by a firewall.
• Try restarting the web server and network services.

Getting certificate issuer errors

• Ensure you use the latest intermediate certificates from your CA (Certificate Authority).
• Regenerate the certificate if a no longer trusted CA issued it.
• Ensure the root CA certificate is distributed to clients for privately issued certificates.

Site visitors getting SSL warnings

• Verify the certificate is valid and signed by a trusted authority. Check the expiration date.
• Ensure you are not using self-signed certificates, which will cause SSL warnings.
• Confirm that you have the full certificate chain, not just the domain certificate.

Final Thoughts on Securing Your Website with the Free ZeroSSL SSL Certificate

Installing SSL certificates with ZeroSSL provides a quick and easy way for Linux administrators to enable encrypted HTTPS connections on their websites and applications. As outlined in this guide, ZeroSSL offers free certificates that are trusted by all major browsers, with automated validation and issuance through ACME.

Some key benefits to using ZeroSSL include:

• Free TLS/SSL certificates that are valid for 90 days, with unlimited renewals. This removes the cost barrier to enabling HTTPS.

• Automated certificate issuance through integration with the ACME protocol. After generating a certificate request, the rest of the process is automated.

• Trusted certificates that are recognized by all major browsers. The certificates use industry-standard 2048-bit RSA encryption.

• Fast issuance with certificates issued in under 10 minutes in most cases. This enables admins to quickly enable HTTPS.

• Easy renewal and revocation. Certificates can be easily renewed before expiration or revoked if needed.

• Feature-rich control panel for managing all certificates from one dashboard.

Overall, ZeroSSL provides an excellent free option for Linux administrators to implement HTTPS and SSL/TLS encryption. The automated process through ACME combined with trusted certificates removes the typical barriers to enabling HTTPS security across websites and applications.

Are you using ZeroSSL to secure your website? We'd love to hear how your experience has been! Connect with us on X @lnxsec, and let's discuss!