We’ll be using Let’s Encrypt in order to obtain and use - in a web server, for example - an SSL certificate for our domain.
Let’s Encrypt is a free, automated, and open certificate authority brought to you by the non-profit Internet Security Research Group (ISRG).
This will be done through certbot. Setting it up is as trivial as cloning the Git repository and running the certbot-auto file. Initial set-up1 is left as an exercise for the reader.
Certbot has three main commands: run, certonly, and renew:
runwill obtain & install a certificate in your web servercertonlywill obtain or renew a certificate, but doesn’t installrenewonly renews the previously obtained certificates that are near the expiry date
Certbot lets you authenticate and install a certificate in 5 ways: through an Apache plugin, an Nginx plugin, through a standalone web server, by placing a validation file in a desired web root, or manual, in a more interactive way.
I’m going to use certonly and --webroot for this tutorial, as I don’t want it to tamper with my web server1, nor do I want to stop & start the web server, as certbot needs port 80 open when running the standalone server. I’m also going to use the certificate in more than one place afterwards.
My command will look like this:
./certbot-auto certonly --webroot -d domain.tld --webroot-path /var/www/domain.tld
After a successful run, you’ll pretty much be greeted by this:
λ ./certbot-auto certonly --webroot -d domain.tld --webroot-path /var/www/domain.tld
Requesting root privileges to run certbot...
/home/user/.local/share/letsencrypt/bin/letsencrypt certonly --webroot -d domain.tld --webroot-path /var/www/domain.tld
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for domain.tld
Using the webroot path /var/www/domain.tld for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/001_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/001_csr-certbot.pem
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/domain.tld/fullchain.pem. Your cert will
expire on 2017-05-27. To obtain a new or tweaked version of this
certificate in the future, simply run certbot-auto again. To
non-interactively renew *all* of your certificates, run
"certbot-auto renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
You can find the newly created certificates in /etc/letsencrypt/live/domain.tld/ directory, which contains the following files: cert.pem, chain.pem, fullchain.pem, privkey.pem, and lastly, README.
A basic Nginx configuration for setting up an SSL domain looks like this:
# Redirect HTTP to HTTPS
server {
listen 80;
listen [::]:80;
server_name domain.tld;
return 301 https://$server_name$request_uri;
}
# Main config
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name domain.tld;
ssl on;
ssl_certificate /etc/letsencrypt/live/domain.tld/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/domain.tld/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/domain.tld/chain.pem;
root /var/www/domain.tld;
index index.html;
}
And that’s it. Check Nginx’s config with nginx -t to check for typos or errors, link the config to sites-enabled, restart it, and you’re done.
This should be enough to get you started.
-
Via Let’s Encrypt Github page: The first time you run the command, it will make an account, and ask for an email and agreement to the Let’s Encrypt Subscriber Agreement; you can automate those with –email and –agree-tos ↩︎