Letsencrypt Certificates - Simple Guide

Let’s Encrypt is a free and open certificate authority developed by (ISRG) & trusted by almost all browsers today.

Note: This guide is for Server administrators. 

Introduction

Let's Encrypt is a free and open certificate authority developed by Internet Security Research Group (ISGR). Certificates issued by this authority are trusted by almost all browsers like as chrome, Microsoft edge, internet explorer, firefox etc. One of the major benefits of these certificates is zero cost. You are a publishing a new blog, or a new simple website then you can get Let's encrypt certificate for free. 

In this guide, we will explain step by step process to install a certificate on our website running on Nginx Web server.

Presumptions:

  1. You have an FQDN domain name pointing to your public IP. In this example, we will use example.com for domain and 192.168.10.120 for IP. You can buy a domain here or you can also get a free domain here. 

  2. Your DNS server is properly configured and it has following entry [record Name: Type: Value (example.com :A :192.168.10.120 & www.example.com: A: 192.168.10.120)]

  3. You have working Nginx Server installed and configured. To install Nginx you can follow this guide.

  4. You have root or sudo access and have enough knowledge of Linux commands

Install CertBot

Update the packages index and install software-properties-common with

sudo apt update
sudo apt install -y software-properties-commo

I hope that you will understand what we had done, we install an app that will enable us to add new PPA in our system to install new apps from 3rd party repositories. Now we will add the certbot repository by following commands.

sudo add-apt-repository ppa:certbot/certbo

It will prompt you to press Enter, Hit Enter to complete the process

Remember that, whenever you add a new PPA, you have to update apt indexes again. To do so, run the following command

sudo apt update

Now it is time to install certbot, use the below command to install it

sudo apt -y install certbot python-certbot-nginx

Now we will start the process to get Let's Encrypt SSL certificate:

Please keep in mind following information about Let's Encrypt SSL certificates before trying to get one:

  1. Let's Encrypt SSL certificates are free but they do not support wildcard domain e.g you can not get a certificate for *.example.com, you have to generate a separate certificate for each subdomain.

  2. Let's Encrypt SSL certificates are valid for 3 months, you can renew them after every 3 months but you can not get a certificate for more than 3 months period e.g for 1 year etc.

  3. Let's Encrypt SSL certificates issuing authority have some rate limits, before trying to get a certificate please read them carefully here. For now remember that if you failed to validate your domain 5 times, you will not able to create a new request for one hour.


Obtaining a Let’s Encrypt SSL certificate


Let's Encrypt certificate renewal authority needs to validate our ownership of the domain. They have to confirm that the person requesting the certificate for a domain really have access to this server, you must pass a challenge to prove you control each of the domain names that will be listed in the certificate. A challenge is one of three tasks that only someone who controls the domain should be able to accomplish:

HTTP-01 Challenge: 

Posting a specified file in a specified location on a website

TLS-SNI-01 Challenge 

Offering a specified temporary certificate on a website

DNS-01 challenge

Posting a specified DNS record in the domain name system.


Let's begin the fun part.

Type following commands in terminal

Note: please double check that in your Nginx config you had properly set server_name directive. In ou example it should be:

server_name example.com www.example.com

One more thing to verify is if our Nginx server is active, please type below commands.


nginx -t

It should display "successful"

systemctl status nginx

 It should confirm that Nginx is active and running.

Certbot provides many ways to obtain SSL certificates, through various plugins. The Nginx plugin will take care of reconfiguring Nginx and reloading the config whenever necessary. 

Now to get certificate please type the following command:

sudo certbot --nginx -d example.com -d www.example.com


        This runs the certbot with --nginx plugin and -d are telling that we are requesting a certificate for these domains, in our case we are requesting it for two versions of our domain with www alias and without www. Please make sure that you have properly set your DNS server for both domains

        Now if you are running certbot for the first time for this domain, you will be prompted to enter an email address and agree to the terms of service. After doing so, certbot will communicate with the Let's Encrypt server, then run a challenge to verify that you control the domain you're requesting a certificate for

Note: If in the case for any reason, it fails to validate, please make sure that your web root directory for the specified domain is owned by www-data and writeable for this user

        If that's successful, certbot will ask how you would like to configure your HTTPS settings

This is a sample output:


Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
-------------------------------------------------------------------------------
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel)

Just select your choice and hit enter. Certbot will update all configuration files and automatically reload Nginx to read new settings.

Upon success, certbot will print this information for you:


IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/example.com/fullchain.pem. Your cert will
   expire on 2019-01-23. To obtain a new or tweaked version of this
   certificate in the future, simply run certbot again with the
   "certonly" option. To non-interactively renew *all* of your
   certificates, run "certbot renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:
   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le


Naughty Note: You should donate some bucks to support these organizations. :

Your website's SSL certificate has been installed and configured correctly and you should test it in the browser, simply put this address in the web browser and see if your certificate is working:

https://example.com
# then again
https://www.example.co

If both of above showing green https in address bar then you had done the process. Now one more step should be better, test certbot with the dry run to validate that if it will work for certificate renewal in futere by typing this command

sudo certbot renew --dry-ru

If everything goes well then your certbot is working properly.

Happy Ending

Waiting for your comments.

Please share this article on social media to support my work.