This website supports HTTPS connections. I wanted to make sure that any user logins or form submissions I implement in the future would be encrypted when communicating with the server. In order to achieve this, I needed to get a certificate authority (CA) to issue me a TLS (Transport Layer Security) certificate for the aidenwhite.com domain. Since I was already using Google Domains, I decided to use the free service Public CA from Google Trust Services (GTS). Public CA can be used via any Automatic Certificate Management Environment (ACME), and I recommend the free, open source tool called Certbot. Here's how I managed to set up TLS certificates at no additional cost using Google Domains, Google Cloud CLI, and Certbot:
1) Install Certbot on the server
In my case, I am using a Virtual Private Server (VPS) from Digital Ocean running Ubuntu 22.04. After SSH'ing onto the server, I install certbot with apt install.
apt install certbot
2) Install and Start Google Cloud CLI
In my case I curl'd and extracted the download, then ran the install script and the init command.
curl -O https://dl.google.com/dl/cloudsdk/channels/rapid/downloads/google-cloud-cli-441.0.0-linux-x86_64.tar.gz
tar -xf google-cloud-cli-441.0.0-linux-x86_64.tar.gz
./google-cloud-sdk/install.sh
./google-cloud-sdk/bin/gcloud init
3) Get EAB key from Google Domains
Log into Google Domains in a browser, select the domain you want to configure, and go to Security. Scroll down to SSL/TLS Certificates and underneath Google Trust Services click "Get EAB key". Keep track of the EAB and HMAC keys that are generated. We will use these to connect to our Google Domains account while using Certbot.
4) Register ACME account
Run the following command on the server with Certbot installed. For server, see the Google documentation for more information. Basically, use "https://dv.acme-v02.api.pki.goog/directory" in production and "https://dv.acme-v02.test-api.pki.goog/directory" in staging.
certbot register \
--email "EMAIL_ADDRESS" \
--no-eff-email \
--server "SERVER" \
--eab-kid "EAB_KID" \
--eab-hmac-key "EAB_HMAC_KEY"
5) Request Certificates
Run the following command on the server. For server, see above. For domains, enter a comma-separated list of domains for which you are requesting certificates, i.e. "aidenwhite.com, www.aidenwhite.com".
certbot certonly \
--manual \
--preferred-challenges "dns-01" \
--server "SERVER" \
--domains "DOMAINS"
7) Add DNS Record
Now Certbot will prompt you to publish a specific TXT record at a given hostname. Go to the DNS page in Google Domains and paste and save this record. Then go back to your terminal running Certbot on the server and press enter to make Certbot validate the DNS record.
8) Deploy Certificates
If Certbot was able to successfully validate your DNS record, it will notify you that a certificate and key have been created and give you their location. It will also tell you the date the certificate expires and directions for renewing the certificate, so make sure to save these for later. Then, all you need to do is let your web server know where to find your certificate and key. For example, I run NGINX so I go into my /etc/nginx/sites-enabled/aidenwhite.com.conf file and add the paths to my certificate and key. See below for an example. I also redirect any HTTP requests on port 80 to HTTPS on port 443.
server {
# listen on port 80 (HTTP)
listen 80;
server_name aidenwhite.com www.aidenwhite.com;
location / {
# redirect any requests to the same URL but on HTTPS
return 301 https://$host$request_uri;
}
}
server {
# listen on port 443 (HTTPS)
listen 443 ssl;
server_name aidenwhite.com www.aidenwhite.com;
# location of the certificate & key
ssl_certificate /etc/letsencrypt/live/aidenwhite.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/aidenwhite.com/privkey.pem;
...
Don't forget to restart NGINX to reflect these changes
systemctl restart nginx
That's it! Your site should now support HTTPS connections.
