- Before you Begin
- Download and Install Let’s Encrypt
- Create an SSL Certificate
- Renew certificate
- Update Let’s Encrypt
Let’s Encrypt is a SSL certificate authority managed by the Internet Security Research Group. It is great since you can use multiple domains and it is free. Only catch is that it expires every three months.
Use SSH to connect to a remote server
ssh root@server_name.com -p 22
Before you Begin
- Complete the steps for setting your system and timezone.
Update and upgrade system
$ apt-get update $ apt-get upgrade
Set the Timezone
$ dpkg-reconfigure tzdata
Check the Time View the current date and time according to your server.
Configure locales with command and select en_US.UTF-8:
$ dpkg-reconfigure locales
Download and Install Let’s Encrypt
Download a clone of Let’s Encrypt from the official GitHub repository:
- Directory /opt is a common installation directory for third-party packages:
/opt is a common installation directory for third-party packages,
We are going to install the clone to /opt/letsencrypt:
$ git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt
Create an SSL Certificate
Let’s Encrypt automatically performs Domain Validation using a series of challenges. The most popular Let’s Encrypt client is EFF’s Certbot.
Certbot is an easy-to-use automatic client that fetches and deploys SSL/TLS certificates for your webserver.
Run Let’s Encrypt with the
--standalone parameter. We’ll use the –standalone option to tell Certbot to handle the challenge using its own built-in web server.
-d flag is used to specify the domain you’re requesting a certificate for. You can add multiple -d options to cover multiple domains in one certificate.
Execute the command:
$ /opt/letsencrypt/certbot-auto certonly --standalone -d example.com -d www.example.com
You got on output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator standalone, Installer None Obtaining a new certificate Performing the following challenges: http-01 challenge for wordpresspage2.nomimono.inservioserver.com Waiting for verification... Cleaning up challenges IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/example.com/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/example.com/privkey.pem Your cert will expire on 2018-10-11. To obtain a new or tweaked version of this certificate in the future, simply run certbot-auto again. To non-interactively renew *all* of your certificates, run "certbot-auto renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
When you first run certbot command and obtain the certificate you will be prompted to add your email address and to agree with Let’s Encrypt terms of service. Write ‘a’ to agree to the service terms ‘no’ to not share your email address with Let’s Encrypt partners.
Check Certificate Domains
The output of the Let’s Encrypt script shows where your certificate is stored
$ ls /etc/letsencrypt/live
Your certificate should be stored on location:
Let’s Encrypt certificates expire after 90 days. You can renew your certificates at any time during their lifespan.
Execute the command:
$ /opt/letsencrypt/certbot-auto certonly --standalone --renew-by-default -d example.com -d www.example.com
Update Let’s Encrypt
Go to folder: /opt/letsencrypt directory:
$ cd /opt/letsencrypt
Download any changes made to Let’s Encrypt since you last cloned or pulled the repository, effectively updating it:
$ git pull
Automatic update Let’s Encrypt
- Use cron to keep the letsencrypt-auto client up to date.
$ crontab -e
Add line to crontab:
0 0 1 * * cd /opt/letsencrypt && git pull
Your web server is now using a free Let’s Encrypt TLS/SSL certificate to securely serve HTTPS content for your domain.
Thats all falks! Let’s Letsencrypt…