Secure your web site with a Free Let's Encrypt SSL Certificate

Let’s Encrypt is a SSL certificate authority managed by the Internet Security Research Group. It is great since you can use multiple domains and it is free. Only catch is that it expires every three months.

Use SSH to connect to a remote server

ssh root@server_name.com -p 22

Before you Begin

  • Complete the steps for setting your system and timezone.

Update and upgrade system

$ apt-get update
$ apt-get upgrade

Set the Timezone

$ dpkg-reconfigure tzdata

Check the Time View the current date and time according to your server.

$ date

Configure locales with command and select en_US.UTF-8:

$ dpkg-reconfigure locales

Download and Install Let’s Encrypt

Download a clone of Let’s Encrypt from the official GitHub repository:

  • Directory /opt is a common installation directory for third-party packages:

/opt is a common installation directory for third-party packages,

We are going to install the clone to /opt/letsencrypt:

$ git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt

Create an SSL Certificate

Let’s Encrypt automatically performs Domain Validation using a series of challenges. The most popular Let’s Encrypt client is EFF’s Certbot.

Certbot is an easy-to-use automatic client that fetches and deploys SSL/TLS certificates for your webserver.

Run Let’s Encrypt with the --standalone parameter. We’ll use the –standalone option to tell Certbot to handle the challenge using its own built-in web server.

The -d flag is used to specify the domain you’re requesting a certificate for. You can add multiple -d options to cover multiple domains in one certificate.

Execute the command:

 $ /opt/letsencrypt/certbot-auto certonly --standalone -d example.com -d www.example.com

You got on output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for wordpresspage2.nomimono.inservioserver.com
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/example.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/example.com/privkey.pem
   Your cert will expire on 2018-10-11. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot-auto
   again. To non-interactively renew *all* of your certificates, run
   "certbot-auto renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

When you first run certbot command and obtain the certificate you will be prompted to add your email address and to agree with Let’s Encrypt terms of service. Write ‘a’ to agree to the service terms ‘no’ to not share your email address with Let’s Encrypt partners.

Check Certificate Domains

The output of the Let’s Encrypt script shows where your certificate is stored

$ ls /etc/letsencrypt/live

Your certificate should be stored on location:

/etc/letsencrypt/live/example.com/cert.pem

Let’s Encrypt certificates expire after 90 days. You can renew your certificates at any time during their lifespan.

Renew certificate

Execute the command:

$ /opt/letsencrypt/certbot-auto certonly --standalone --renew-by-default -d example.com -d www.example.com

Update Let’s Encrypt

Go to folder: /opt/letsencrypt directory:

$ cd /opt/letsencrypt

Download any changes made to Let’s Encrypt since you last cloned or pulled the repository, effectively updating it:

$ git pull

Automatic update Let’s Encrypt

  • Use cron to keep the letsencrypt-auto client up to date.
    $ crontab -e
    

Add line to crontab:

0 0 1 * * cd /opt/letsencrypt && git pull

Your web server is now using a free Let’s Encrypt TLS/SSL certificate to securely serve HTTPS content for your domain.

Thats all falks! Let’s Letsencrypt…