How to Install Free ZeroSSL Certificate on Ubuntu Server

In the previous tutorial, we discussed the free Let’s Encrypt SSL certificate. Today I’m going to introduce another certificate authority that issue free SSL certificate: ZeroSSL.

ZeroSSL Features

  • It offers 90-day certificates and 1-year certificates.
  • multi-domain certificates and wildcard certificates.
  • ACME support. Its dedicated ACME Bot (ZeroSSL Bot) allows you to obtain and renew 90-day certificates automatically and completely free of charge.
  • Supports third-party ACME clients
  • No rate limit
  • SSL monitoring
  • REST API
  • Domain verification via email, CNAME or file upload

To be honest, many of these features require a premium plan. I’m interested in ZeroSSL because one of my server applications doesn’t support Let’s Encrypt certificate. Now let’s learn how you can install the ZeroSSL certificate on Ubuntu server.

Step 1: Create a ZeroSSL Account

Go to the ZeroSSL official website, and click the Get Free SSL button.

zeroSSL free certificate

Sign up for the free plan.

zerossl free plan

Then click the New Certificate button.

ZeroSSL New Certificate

Enter your domain name and click the Next Step button.

zerossl enter domain name

Next, choose the certificate validity period. The 90-day certificate is free, so I chose it.

zerossl 90 day certificate

After that, it will generate a CSR (certificate signing request).

zerossl auto-genereate CSR

Finally, select the free plan.

zerossl upsell

Once the SSL certificate is created, you need to verify your domain name. ZeroSSL supports email verification, DNS (CNAME) verification and HTTP file upload verification. I have my own email server, so I chose the email verification method.

zerossl domain verification

After the domain is verified, you can download the certificate.

zerossl download certificate

Step 2: Install ZeroSSL Certificate on Ubuntu Server

Upload the zipped certificate file to your server. Then unzip it.

unzip your-domain.com.zip

There will be 3 files:

  • ca_bundle.crt
  • certificate.crt
  • private.key

We need to combine the two .crt files into one file.

cat certificate.crt ca_bundle.crt >> zerossl_certificate.crt

Create a directory to store these files.

sudo mkdir /etc/ssl/your-domain.com

Move them to this directory.

sudo mv zerossl_certificate.crt private.key /etc/ssl/your-domain.com/

Change the file permission so that only the root user can read them.

sudo chown root:root /etc/ssl/your-domain.com/*

sudo chmod 660 /etc/ssl/your-domain.com/*

Now let’s install the certificate.

Apache Web Server

First, edit your virtual host file.

sudo nano /etc/apache2/sites-available/your-domain.com.conf

Add the following lines above </VirutalHost>.

RewriteEngine on
RewriteCond %{SERVER_NAME} =your-domain.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]

The 3 lines tell Apache to always redirect visitors to the HTTPS version of your site. Save and close the file. Then create a virtual host file for the HTTPS version of your site.

sudo nano /etc/apache2/sites-available/your-domain.com-https.conf

Put the following lines in the file.

<IfModule mod_ssl.c>
<VirtualHost *:443>

   ServerAdmin webmaster@localhost
   DocumentRoot /var/www/your-domain/
   ServerName your-domain.com

   ErrorLog ${APACHE_LOG_DIR}/error.log
   CustomLog ${APACHE_LOG_DIR}/access.log combined

   SSLCertificateFile /etc/ssl/your-domain.com/zerossl_certificate.crt
   SSLCertificateKeyFile /etc/ssl/your-domain.com/private.key
   Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>

</IfModule>

Save and close the file. Then enable the HTTPS version of your site.

sudo a2ensite your-domain.com-https.conf

And reload Apache.

sudo systemctl reload apache2

Now visit your site in your browser and you will see a green lock.

Nginx Web Server

Open your Nginx server block file.

sudo nano /etc/nginx/confi.d/your-domain.com.conf

Edit the file like below.

server {
        listen 80;
        server_name your-domain.com;
        return 301 https:$server_name$request_uri;
}

server {
        listen 443 ssl http2;
        server_name your-domain.com;

        root /var/www/your-domain/;
        
        ssl_certificate /etc/ssl/your-domain.com/zerossl_certificate.crt;
        ssl_certificate_key /etc/ssl/your-domain.com/private.key;

        ssl_session_timeout 1d;
        ssl_session_cache shared:SSL:10m;
        ssl_session_tickets off;

        ssl_protocols TLSv1.2 TLSv1.3;
        ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
       ssl_prefer_server_ciphers off;

       # HSTS (ngx_http_headers_module is required) (63072000 seconds)
       add_header Strict-Transport-Security "max-age=63072000" always;

       # OCSP stapling
       ssl_stapling on;
       ssl_stapling_verify on;

        ...
        Your custom directives goes here. 
        ...
}

Save and close the file. Then test Nginx configs and reload.

sudo nginx -t

sudo systemctl reload nginx

Conclusion

I hope this tutorial helped you obtain and install a free ZeroSSL certificate on Ubuntu server.

Rate this tutorial
[Total: 1 Average: 5]

Leave a Comment

  • Comments with links are moderated by admin before published.
  • Your email address will not be published.
  • Use <pre> ... </pre> HTML tag to quote the output from your terminal/console.
  • Please use the community (https://community.linuxbabe.com) for questions unrelated to this article.
  • I don't have time to answer every question. Making a donation would incentivize me to spend more time answering questions.

The maximum upload file size: 2 MB. You can upload: image. Links to YouTube, Facebook, Twitter and other services inserted in the comment text will be automatically embedded. Drop file here