Free Domain SSL Certificate Using Let’s Encrypt

This post will be a nugget on getting free SSL/TLS certificate using Lets Encrypt. This will be useful if you run your own site and want to make sure the communication is encrypted using https protocol. Anyone who owns a domain name can use Let’s Encrypt to obtain a trusted certificate at zero cost.

What is Let’s Encrypt?

Lets’ Encrypt is a free, automated and open Certificate Authority. Let’s Encrypt is a new Certificate Authority (CA) that provides an easy way to obtain and install free TLS/SSL certificates, thereby enabling encrypted HTTPS on web servers. To enable HTTPS on your website, you need to get a certificate (a type of file) from a Certificate Authority (CA). A CA is an entity that issues digital certificates. A CA acts as a trusted third party—trusted both by the subject (owner) of the certificate and by the party relying upon the certificate. The format of these certificates is specified by the X.509 standard.

What is the requirement ?

In order to get a certificate for your website’s domain from Let’s Encrypt, you have to demonstrate control over the domain.

• You must own or control the registered domain name that you wish to use the certificate with. If you do not already have a registered domain name, you may register one with one of the many domain name registrars out there (e.g. Namecheap, GoDaddy, etc.)

• A DNS A Record that points your domain to the public IP address of your server. This is required because of how Let’s Encrypt validates that you own the domain it is issuing a certificate for. For example, if you want to obtain a certificate for
  mysite.com, that domain must resolve to your server for the validation process to work. You can refer the corresponding domain providers instructions to configure DNS records to complete this step. The certificate verification step will fail if this is not configured or configured incorrectly

What we will do ?

In this tutorial, we will see how we can secure apache and nginx using Let’s Encrypt in ubuntu 16.04 server for free. We will also see how to automate the certificate renewal process.

Apache with Let’s Encrypt

• Install Certbot ( Let’s encrypt agent/client )

The first step of using Let’s Encrypt to obtain an SSL certificate is to install the certbot in your server. Certbot is an easy-to-use client that fetches  certificate from Let’s Encrypt. To know more about how Let’s Encrypt works, you can refer this article. Let us install certbot by adding its own repository.

sudo add-apt-repository ppa:certbot/certbot

Press Enter to accept. Next, update the repo for the latest changes to take effect.

sudo apt-get update

Finally, Install certbot by running the below command

sudo apt-get install python-certbot-apache

• Setup the SSL Certificate

Generating the SSL Certificate for Apache using the certbot Let’s Encrypt client is quite straightforward. The client will automatically obtain and install a new SSL certificate that is valid for the domains provided as parameters for the certbot command.

To obtain certificate that covers  a single domain, run the below command

sudo certbot --apache -d mysite.com

Note: Replace mysite with your domain name.

On the other hand, if you want to install a single certificate that is valid for multiple domains or sub-domains, you can run the below command

Note: As of writing this article, Let’s Encrypt has made an announcement that it’ll start to support wildcard certificates by January 2018. Once that is up live, you can make use of wildcard certificates to overcome this constrain.

sudo certbot --apache -d mysite.com -d www.mysite.com -d dev.mysite.com -d qa.mysite.com

Make sure you keep the top level domain name as the first parameter since first domain name in the list of parameters will be the base domain used by Let’s Encrypt to create the certificate.

In this example, the base domain will be mysite.com

After executing the above step, you’ll be prompted to provide an email address for lost key recovery and notices, prompted to Accept Let’s Encrypt terms of service, prompted to accept or reject sharing your email address with the Electronic Frontier Foundation . You’ll then be asked to choose between enabling both http and https access or force all requests to redirect to https.

Below is an excerpt from the certbot command output

$ certbot –apache -d mysite.com -d www.mysite.com

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Enter email address (used for urgent renewal and security notices) (Enter ‘c’ to
cancel): [email protected]
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org

——————————————————————————-
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf. You must agree
in order to register with the ACME server at
https://acme-v01.api.letsencrypt.org/directory
——————————————————————————-
(A)gree/(C)ancel: A

——————————————————————————-
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let’s Encrypt project and the non-profit
organization that develops Certbot? We’d like to send you email about EFF and
our work to encrypt the web, protect its users and defend digital rights.
——————————————————————————-
(Y)es/(N)o: N
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for mysite.com
tls-sni-01 challenge for www.mysite.com
Enabled Apache socache_shmcb module
Enabled Apache ssl module

 

We were unable to find a vhost with a ServerName or Address of www.mysite.com.
Which virtual host would you like to choose?
(note: conf files with multiple vhosts are not yet supported)
——————————————————————————-
1: default-ssl.conf | | HTTPS |
2: mysite.conf | mysite.com | | Enabled
3: 000-default.conf | | |
4: mysite-le-ssl.conf | mysite.com | HTTPS | Enabled
——————————————————————————-
Select the appropriate number [1-4] then [enter] (press ‘c’ to cancel): 4
Deploying Certificate for www.mysite.com to VirtualHost /etc/apache2/sites-available/mysite-le-ssl.conf

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
——————————————————————————-
1: No redirect – Make no further changes to the webserver configuration.
2: Redirect – Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you’re confident your site works on HTTPS. You can undo this
change by editing your web server’s configuration.
——————————————————————————-
Select the appropriate number [1-2] then [enter] (press ‘c’ to cancel): 2
Redirecting vhost in /etc/apache2/sites-available/mysite.conf to ssl vhost in /etc/apache2/sites-available/mysite-le-ssl.conf

——————————————————————————-
Congratulations! You have successfully enabled https://mysite.com and
https://www.mysite.com

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=mysite.com
https://www.ssllabs.com/ssltest/analyze.html?d=www.mysite.com
——————————————————————————-

IMPORTANT NOTES:
– Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/mysite.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/mysite.com/privkey.pem
Your cert will expire on 2017-11-15. To obtain a new or tweaked
version of this certificate in the future, simply run certbot again
with the “certonly” option. To non-interactively renew *all* of
your certificates, run “certbot renew”
– If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

If you had selected to redirect http to https, certbot will automatically make the necessary changes in the appropriate virtual host configuration files ( Make sure the ServerName directive is set right in your virutal host configuration). If you want to configure it manually, you can find the generate certificate files under /etc/letsencrypt/live.

Nginx with Let’s Encrypt

The steps for nginx is almost same as that of apache only exception being we need to have nginx plugin installed in place of apache. The rest of the steps are same.

• Install Certbot ( Let’s encrypt agent/client )

sudo add-apt-repository ppa:certbot/certbot

Press Enter to accept. Next, update the repo for the latest changes to take effect.

sudo apt-get update

Finally, Install certbot by running the below command

sudo apt-get install python-certbot-nginx

• Setup the SSL Certificate

To obtain certificate that covers  a single domain, run the below command

sudo certbot --nginx -d mysite.com

Note: Replace mysite with your domain name.

If you want to install a single certificate that is valid for multiple domains or sub-domains, you can run the below command

sudo certbot --nginx -d mysite.com -d www.mysite.com -d dev.mysite.com -d qa.mysite.com

Make sure you keep the top level domain name as the first parameter since first domain name in the list of parameters will be the base domain used by Let’s Encrypt to create the certificate.

In this example, the base domain will be mysite.com

After executing the above step, you’ll be prompted for the same options as discussed in the apache section.

Cronjob for Auto Renewal

By default Let’s encrypt certificates are valid for 90 days. You can read about reason for it here. The command to renew all the SSL certificate is as below

sudo certbot renew --quiet

The renew command for Certbot will check all certificates installed on the system and update any that are set to expire in less than thirty days. –quiet tells Certbot not to output information or wait for user input.

We can create a cron job and automate the process of the renewal by configuring it to run daily. Create an entry in cronjob by running the below commands.

sudo crontab -e

Your text editor will open the default crontab which is a text file with some help text in it. Paste in the following lines based on the web sever type at the end of the file, then save and close it:

• For apache2:

# m h  dom mon dow   command

15 1 * * * /usr/bin/certbot renew --quiet

• For nginx:

# m h  dom mon dow   command

15 1 * * * /usr/bin/certbot renew --quiet

Above configuration will run the renewal command everyday at 1.15pm and reloads the service. Because we installed our certificates using the –apache / –nginx plugin, Apache/Nginx will also be reloaded to ensure the new certificates are used.

That’s it on the configuration aspect of Let’s Encrypt using certbot for free Domain verified SSL certificate. Keep track of Official Let’s Encrypt Blog for time to time update.