Secure you website in minutes with Free SSL from LetsEncrypt
Today we will have a quick look around how to use the free SSL service from let's Encrypt and secure our domain in minutes.
Note: This tutorial requires you to have some basic understanding of Linux command. You have access to the terminal to your hosting with root access, access to your DNS provider and some basic understanding of DNS records. PS. We are not going to dive into what is an SSL and how it works but rather focus on getting things done!
Using tool CertBot
CertBot is a tool that allow us to obtain a signed certificate to use with TLS.
For this example, I am using a Ubuntu system and we will be installing the certificate for a website that is hosted on a shared hosting with GoDaddy.
Generate Certificate:
- Login to your hosting provider and look for terminal access.
- Login with root user
- Install the CertBot tool with APT package manager. Run the below command if you have similar configuration as mine. (Ubuntu).
> sudo snap install --classic certbot- Make certbot globally accessible by creating a symlink file. This is totally optional.
> sudo ln -s /snap/bin/certbot /usr/bin/certbotNote: If you different OS platform head over the official certbot page and choose the desired options to find your certbot installation help. Certbot (eff.org)
To confirm you have installed certBot correctly type below command
> certbot --version
If you have followed the above steps without any errors, move to the next step to generate the certificate for our domain.
(Note: you can create a certificate that applies to multiple sub domains or for a single website. e.g. *. mydomain.in or mydomain.in Depending upon what you are willing to do the step will differ slightly. Here for demo, we are focusing on domain and subdomains)
Type the below command to generate a certificate for your domain. Replace the domain name with your own domain name.
> sudo certbot certonly --manual --preferred-challenges=dns --server https://acme-v02.api.letsencrypt.org/directory \
-d mysite.in -d *.mysite.inLets understand what the each option in above command do.
- certonly : we only generate certificate and not installing it on the server.
- preferred-challenges: A mode we will be using for authenticating. Possible values dns or http
- server : Name of the CA authority to use. here we are using letsEncrypt.
- d : option allow us to specify the domain name for which we want to generate the certificate.
Note: These are bare minimum required options to get going. Certbot provides tons of other options to play around. If you are interested into that head over to this link https://eff-certbot.readthedocs.io/en/latest/using.html
If you run the above command, you will be prompted to allow logging your IP. Go ahead and allow it as this is mandatory. Further, you should have a screen with below instruction.
At this moment you will have to login to your DNS provider and create a new TXT entry as suggested below.
The option to add the TXT record might vary from provider to provider. It should be under domains -> manage domains. Please look for your own domain provider setting.
Now, let's add an entry as suggested.
Enter the Name of the key as shown on the terminal _acme-challenge.mydomain.in and value as show on the screen. Click okay and add the new entry.
Note:
- You might be asked to create multiple entries of TXT records. Please follow the same steps and add the suggested number of TXT records.
- Please confirm if the entry was created as this is important and will be used for verification. Occasionally this might take some time as these changes will take time to propagate across network.
If you completed the above steps successfully, head over to the terminal and press enter as asked. If everything works fine, a certificate for CA and an associated key will be generated and will be placed under below folder.
/etc/letsencrypt/live/<domain_name>
Install Certificate
Now, we simply need to install the certificate on our site. Login to your hosting provider and head over to SSL/TLS section. If you are using a hosting provider like GoDaddy you will have access to cPanel like tool. Again feel free to look options as per your provider.
Click on SSL/TLS and then click on mange SSL sites. You should see the below screen with existing sites and their SSL status along with option to configure the SSL for existing domain
Now here in the drop-down choose the domain where you want to install the certificate. When you choose the domain, below screen would be shown.
Now go back to the location on your terminal where the certificate is kept.
/etc/letsencrypt/live/<domain_name>
- Copy the content of the cert.pem file into certificate text box (CRT)
- Copy the content of the key file into private key text box (Key)
- Finally copy the content of fullchain.pem file into CA bundle textbox (CABUNDLE)
- Click o install button.
If you have followed all the steps correctly without any error, your website should start using the newly generated SSL certificate.
Head over to your website to confirm the same!
Note: The LetsEncrypt certificate we generated here is valid only for 90 days and will need to be renewed. You can use the below command to renew any of the expiring certificates. Certbot will automatically renew any certificates that are due for renewal
> sudo certbot renewIf there are no due certificates, you will get the below output.
This process can be automated with the help of a cron Job. Which periodically execute the above command and renew any certificates that are due for renewal.
In the next article we will use a third party tool that will allow us to generate the certificates right from our browser.
Until then Keep Learning! Cheers!
#SSL #LetsEncrypt #certificates
