Before I get started, you should know that my working environment is based off a video I did last year called How to install Magento 2.3. A link to that video is also available in the Video Description. To summarise, I’m running Magento 2.3 with Apache on Ubuntu 16.04. Therefore this tutorial is not compatible with Nginx or CentOS.
1. Installing Cerbot (Let’s Encrypt)
Everything I’m about to do revolves around an application called “Certbot”, which helps install, setup and maintain the Let’s Encrypt SSL Certificates.
Right now I’m logged into my server as the superuser - Which happens to be called “craig”.
So, the first thing I need to do is add the Certbot Repository so that Ubuntu can find the application when I run the install command. This is done by entering the following command (Don’t forget you can copy these commands directly from the article):
sudo add-apt-repository ppa:certbot/certbot
Once I hit Enter, I’ll be prompted for my password… And the I’ll be prompted to hit Enter again.
Now I just need to refresh the Ubuntu Repository Library by running:
sudo apt-get update
With those 2 steps out of the way, I’m finally able to install Certbot by running:
sudo apt-get install python-certbot-apache -y
2. Setting up Certbot (Let’s Encrypt)
Now it’s time to setup Certbot, which is actually really simple on Ubuntu 16.04.
It’s probably an obvious thing to say, but at this stage you should already have a domain name setup for your Magento 2 installation - Which I do and is aptly named “digitalstartuptutorials.co.uk”.
So, armed with this domain name I’m ready to run through the Certbot Installation Wizard which is triggered by entering:
sudo certbot --apache -d digitalstartuptutorials.co.uk
sudo: Run command as a superuser
certbot: Run the Certbot application
--apache: Configured for Apache
-d: Specifies the use of a domain
digitalstartuptutorials.co.uk: Is the domain name I’m specifying
I will note that if you require SSL Certificates for multiple domain names on the same server, this is where you would do that. But this falls outside the scope of this video tutorial.
Now, once I hit Enter I’ll be prompted for:
- An email address
- A check if I agree with the Let’s Encrypt Terms of Service
- A request to join the Let’s Encrypt Newsletter
A few moments later, I’ll be asked whether I want Apache to be configured to automatically reroute all HTTP traffic to HTTPS. In a normal situation Option 2 would be my recommendation. However, I prefer Magento 2 to handle this - Otherwise you could end up with a redirect loop.
So, I’m going to press “1” and Enter. Which then presents me with a “Congratulations” message.
Before moving onto the Magento setup, I’m going to run the following command:
sudo certbot renew --dry-run
This simply runs some tests to ensure that Certbot is running correctly - Which should result in another “Congratulations” message. If it isn’t then the SSL Certificate will expire after 90 days.
Checkout the article for recommended reading on Let’s Encrypt if you’re interested in learning more or run into any issues:
- How Let’s Encrypt Works
- Getting Started with Let’s Encrypt
- Let’s Encrypt Documentation
- Let’s Encrypt Help and Support
3. Setting up Magento
At this point, I’m done with the Command Line Interface. So, I’m going to login into Magento.
Then I’ll navigate to Stores > Configuration > Web.
The first thing I want to verify is that the Secure Base URL contains the HTTPS prefix. Because this is the URL that will be used once I enable Secure URLs. And in my setup it is correct.
Underneath that there are 2 more options that I want to change from “No” to “Yes”. And that is:
- Use Secure URLs on Storefront
- Use Secure URLs in Admin
After setting Use Secure URLs in Admin to “Yes”, 2 more options will be displayed called:
- Enable HTTP Strict Transport Security (HSTS)
- Upgrade Insecure Requests
Which I will also set to “Yes”.
Before I hit the “Save Config” button, note that in the upper-left of my browser says that this site is “Not Secure”. That’s because the page is running in HTTP and not HTTPS. Now once I save my configuration and the page reloads, not only will the page load in HTTPS but you’ll notice that this notification has been replaced by a Green Padlock, confirming that a valid SSL Certificate is installed.
So, I’ll quickly Clear the Cache and ensure that the Frontend loads as expected… Which it does.
- If you see during the setup “(likely firewall problem)”, you will need to temporarily allow all traffic through your firewall to HTTP (Port 80)
Appendix: About SSL Certificates
There are several types of SSL Certificates:
- Domain Validated (DV) : are the most common type of SSL certificate. They are verified using only the domain name. Typically, the CA exchanges confirmation email with an address listed in the domain’s WHOIS record. Alternatively, the CA provides a verification file which the owner places on the website to be protected. Either method confirms that the domain is controlled by the party requesting the certificate.
- Organisation Validated (OV) : require more validation than DV certificates, but provide more trust. For this type, the CA will verify the actual business that is attempting to get the certificate (the information required for OV certificates). The organization’s name is also listed in the certificate, giving added trust that both the website and the company are reputable. OVs are usually used by corporations, governments and other entities that want to provide an extra layer of confidence to their visitors.
- Extended Validation (EV) : certificates provide the maximum amount of trust to visitors, and also require the most effort by the CA to validate. Per guidelines set by the CA/Browser Forum, extra documentation must be provided to issue an EV certificate (as described in EV SSL Requirements ). As in the OV, the EV lists the company name in the certificate itself, However, a fully validated EV certificate will also show the name of the company or organization in the address bar itself, and the address bar is displayed in green. This is an immediate, visual way that viewers can know that extra steps were taken to confirm the site they’re visiting – which is why most large companies and organizations choose EV certificates.
My thoughts on Let’s Encrypt
From what I’ve read, Let’s Encrypt only covers Domain Validated Certificates. So, if you’re only after a certificate of this type then it actually makes sense to use Let’s Encrypt. To back this up, I found a page on the Comodo website that offered a comparison of the 2 services - And the only thing you get with Comodo is 24/7 support, site seal and a $10,000 (starting at) warranty.
Obviously, there is more research to be done here - But I already see a strong argument for using Let’s Encrypt if you’re only after a Domain Validated Certificate and do not require :
- 24/7 Technical Support
- Site Seal
- Warranty (in case of data breach)
This makes a lot of sense for a non-transactional website. But for me personally, I would rather pay a few quid every year for warranty protection when you consider the types of data submitted on an eCommerce site.