Secure your web site with a Free Let's Encrypt SSL Certificate

About

Let’s Encrypt is a SSL certificate authority managed by the Internet Security Research Group. It is great since you can use multiple domains and it is free. Only catch is that it expires every three months.

Certbot is client for Let’s Encrypt that fetches and deploys SSL/TLS certificates for your webserver.

It’s is the most extensive client that implement the ACME protocol to fetch certificates and can automatically configure your webserver to start serving over HTTPS immediately.

Use SSH to connect to a remote server

$ ssh root@server_name.com -p 22

Before you Begin

  • Complete the steps for setting your system and timezone.

Update and upgrade system

$ apt-get update
$ apt-get upgrade

Set the Timezone

$ dpkg-reconfigure tzdata

Check the Time View the current date and time according to your server.

$ date

Configure locales with command and select en_US.UTF-8:

$ dpkg-reconfigure locales

Download and Install Certbot

We can install Certbot client packages with command:

$ apt-get install certbot

Alternative way to install Client:

Download a clone of Certbot from the official GitHub repository:

  • Directory /opt is a common installation directory for third-party packages:

/opt is a common installation directory for third-party packages,

We are going to install the clone to /opt:

$ git clone http://github.com/certbot/certbot /opt/

Creating Let’s encrypt certificate with with certbot client

Certbot is an easy-to-use automatic client that fetches and deploys SSL/TLS certificates for your webserver. With certonly subcommand we obtain or renew a certificate, but do not install it.

Run Certbot with webroot mode

If you don’t want to stop the webserver during the certificate issuance process, you can use the --webroot parameter to obtain a certificate by including certonly and –webroot on the command line. Webroot mode places files in a server’s webroot folder for authentication.

Before going any further, we need to set up our Nginx installation to serve our well-known directory so that we can validate our acme-challenge.

We have to add location setting to our nginx configuration that looks like:

        location ~ ^/.well-known {
        root /var/www/example.com/web;
    }

After that we are going to create certificate for specific page:

certbot certonly --webroot -w /var/www/example.com/web -d example.com

You will get output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for cert4.nomimono.inservioserver.com
Using the webroot path /var/www/cert4.nomimono.inservioserver.com/web for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/0011_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0011_csr-certbot.pem

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/cert4.nomimono.inservioserver.com/fullchain.pem.
   Your cert will expire on 2018-10-19. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Run Certbot with standalone mode

Obtain cetrificate with --standalone parameter requires port 80 or 443 to be available. This is useful on systems with no webserver, or when direct integration with the local webserver is not supported or not desired. Also, standalone we use for adding a huge number or multiple domains.

We’ll use the --standalone option to tell Certbot to handle the challenge using its own built-in web server.

The -d flag is used to specify the domain you’re requesting a certificate for. You can add multiple -d options to cover multiple domains in one certificate.

Execute command:

$ certbot certonly --standalone -d example.com

You got on output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for example.com
Waiting for verification...
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/0003_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0003_csr-certbot.pem

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/example.com/fullchain.pem.
   Your cert will expire on 2018-10-17. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le


When you first run certbot command and obtain the certificate you will be prompted to add your email address and to agree with Certbot terms of service. Write ‘a’ to agree to the service terms ‘no’ to not share your email address with Let’s Encrypt partners.

Check Certificate Domains

Your certificate should be stored on location:

/etc/letsencrypt/live/example.com/

Certbot certificates expire after 90 days. You can renew your certificates at any time during their lifespan.

Setting up SSL with Certbot over Nginx

$ apt-get install python-certbot-nginx

Find your Nginxconf file that manages your domain service. In our case, we were found on path:

/etc/nginx/sites-available/example.com.conf

We are going to add parth to certificate files and redirection to secured page:

    listen 443 ssl;
    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; 

    # Redirect non-https traffic to https
    if ($scheme != "https") {
         return 301 https://$host$request_uri;
     }

After this only thing you have is to restart Nginx service

$ systmectl reload nginx.service

Managing cetificates

Before managing, you have to dislay list about certificates you have from Certbot.

$ certbot certificates  

Changing a Certificate’s Domains

If you want to change certificate domain you can do it with --cert-name flag.

You need to specify new domains using the -d or --domains flag. If certificate example.com previously contained example.com and www.example.com, it can be modified to only contain example.com by specifying only example.com with the -d or –domains flag.

Command:

$ certbot certonly --cert-name example.com -d example.com

Renew certificates

We can renew certificate with simle command:

$ certbot renew

With this command we will check all installed certificates for impending expiry and attempt to renew them.

Since renew only renews certificates that are near expiry it can be run as frequently as you want.

Before you choose to modify the renewal configuration file we advise you to test its validity with the certbot renew --dry-run command. This command will “renew” or “certonly” without saving any certificates to disk.

$ certbot renew --dry-run

Renew certificate for specific domain:

$ certbot renew --cert-name name_of_cetificate

Renew certificater with hooks

The renew command includes hooks for running commands or scripts before or after a certificate is renewed. For example, if you have a single certificate obtained using the standalone plugin, you might need to stop the webserver before renewing so standalone can bind to the necessary ports, and then restart it after the plugin is finished. Example:

$ certbot renew --pre-hook "service nginx stop" --post-hook "service nginx start"

Renew certificate made in webroot mode

If we want to renew certificate for specific page and domain, where certificate added with webroot mode, we will execute command:

$ certbot certonly --webroot -w /var/www/cexample.com/web -n -d example.com

where we want to include the -n or --noninteractive flag to prevent blocking on user input and interactive mode in shell.

Revoking and deleting certificates

If your need to revoke a certificate, use the ````revoke``` command to do so. Note that the revoke command takes the certificate path, not a certificate domain.

This is command:

$ certbot revoke --cert-path /etc/letsencrypt/live/certname/cert.pem

Alse, if you wan to delete certificate for specific doman you just need to execute command with ````delete``` command :

$ certbot delete --cert-name example.com

Adding mail notifications

Email address for important account notifications

You can use for registration and recovery contact. Use command to register multiple emails.

 $ certbot certonly -m my@mail.com, --email my@mail.com                

Also, when create new certificate with email subscription and standalone option, in command you have to add and --agree-tos opiton that means you agree with ACME server’s Subscriber Agreement

 $ certbot certonly (--standalone) --agree-tos --email my@mail.com -d example.com            

Update Certbot client

Go to folder: /opt/certbot directory:

$ cd /opt/certbot

Download any changes made to Certbot since you last cloned or pulled the repository, effectively updating it:

$ git pull

Automatic update Certbot

  • Use cron to keep the letsencrypt-auto client up to date.
    $ crontab -e
    

Add line to crontab:

0 0 1 * * cd /opt/certbot && git pull

Your web server is now using a free Let’s Encrypt TLS/SSL certificate to securely serve HTTPS content for your domain.

For more information you can check Certbot’s command line options with --help all.

Thats all falks! Let’s Letsencrypt…