Acquiring an SSL certificate can be expensive especially when you are running a website that is not necessarily generating any form of revenue like a blog. Thankfully Let’s Encrypt has provided a mechanism for generating an SSL certificate for your website for free. These certificates, however are only valid for a period of 90 days at a time and can be updated with a simple shell command when they are due for renewal. This article will show you step by step on how to generate a certificate for your website using Certbot ACME client. You will need to have shell access to your web host in order to be able to install and run Certbot.
Cerbot Prerequisites
There are some pre-requisites for setting up Cerbot:
- You need to be comfortable with using the command line and execute shell commands
- You need an HTTP website that is already online. If you have not done so yet, you will need to set this up first before continuing with this article
- This website needs to be hosted on a server that you can have SSH access to with the ability to sudo
Installing Certbot
SSH into your web server and run the following commands to get Certbot installed:
$ wget https://dl.eff.org/certbot-auto $ sudo mv certbot-auto /usr/local/bin/certbot-auto $ sudo chown root /usr/local/bin/certbot-auto $ sudo chmod 0755 /usr/local/bin/certbot-auto
Running Cerbot and generating the certificate(s)
To get an SSL certificate and have Certbot edit your Apache configuration automatically to serve it, turning on HTTPS access all in one single step, simply run:
$ sudo /usr/local/bin/certbot-auto --apache
This command will run a scan of the Apache configured websites on your server and present you with options for which site or sites the Certbot can generate an SSL certificate for:
Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator apache, Installer apache Which names would you like to activate HTTPS for? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1: mysite.com 2: othersite.com 3: myotherothersite.com - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Select the appropriate numbers separated by commas and/or spaces, or leave input blank to select all options shown (Enter 'c' to cancel): 1
Once you have selected your option from the list and pressing enter, the Certbot will begin the generation process:
Obtaining a new certificate Performing the following challenges: http-01 challenge for mysite.com Waiting for verification... Cleaning up challenges Created an SSL vhost at /etc/apache2/sites-available/mysite.com-le-ssl.conf Deploying Certificate to VirtualHost /etc/apache2/sites-available/mysite.com-le-ssl.conf Enabling available site: /etc/apache2/sites-available/mysite.com-le-ssl.conf
Certbot will then present you with two options for HTTPS redirection:
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1: No redirect - Make no further changes to the webserver configuration. 2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for new sites, or if you're confident your site works on HTTPS. You can undo this change by editing your web server's configuration. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
If you choose option 1 then no further changes will be made by Certbot. If you choose option 2, then Certbot will update the virtual host configuration for the site it generated the SSL certificate for:
Redirecting vhost in /etc/apache2/sites-enabled/mysite.com.conf to ssl vhost in /etc/apache2/sites-available/mysite.com-le-ssl.conf - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
And that’s it! Certbot has successfully generated an SSL certificate for your website for free!
Congratulations! You have successfully enabled https://mysite.com
Testing whether the SSL certificate is working correctly
Certbot will provide you a URL to check your SSL certificate status after it has completed the generation process.
You should test your configuration at: https://www.ssllabs.com/ssltest/analyze.html?d=mysite.com - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
You can also check the https version of your website which should now work and display a lock next to the URL.
Things to note
There is also some additional important information that is displayed by Certbot. This information includes details about where the certificate and chain are stored on the server and when the just generated certificate is due to expire, so pay attention to this:
IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/mysite.com/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/mysite.com/privkey.pem Your cert will expire on 2019-10-19. To obtain a new or tweaked version of this certificate in the future, simply run certbot again with the "certonly" option. To non-interactively renew *all* of your certificates, run "certbot-auto renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
Setting up a cron to update the SSL certificates for you
Remembering to update the certificates when they are due can be a tedious process. Thankfully Certbot can also be executed by a cron job which will periodically check for you if any of the certificates it generated are due for renew. Simply run the following in the terminal which will add a cron job for you:
echo "0 0,12 * * * root python -c 'import random; import time; time.sleep(random.random() * 3600)' && /usr/local/bin/certbot-auto renew" | sudo tee -a /etc/crontab > /dev/null
Help and Support
Should you encounter any errors with Certbot, feel free to visit the Certbot Help page which contains a list of helpful information.
I hope this article was very helpful. Now go and generate those certificates!