If you have referred the previous articles regarding configuring the Let's encrypt SSL certificate, you might realize that is the tedious task.
Most of the people are getting confused or else making mistakes while trying to do things on their own.
Once they found that they have done mistakes, again they have to do everything from the scratch.
It will take time and it may test your patience if you are not an expert in Nginx or Apache configuration.
I know you are expecting a solution for this.
Here in this article, we are going to show you the solution.
Basically, you will get Let's encrypt SSL certificate using their API.
You can use Let's encrypt client Certbot. It will do all the Job from validating domain and fetching the certificate to configure the Nginx or Apache.
Let's see the requirements and how can you use the Certbot by installing it on the server.
For this process to work, you should have the Ubuntu 16.04 server with initial server setup tutorial.
The domain name should point your server. If you use any CDN, stop using that for some time. Directly point your domain name to the server.
You should have the port 80 and 443 unused on your server. If you have a web server running on your server, then it will use the ports. Here, the Certbot will use the webroot mode to access the ports.
Here, Let us see the Ubuntu Certbot installation.
Install Certbot on Ubuntu
By default, Ubuntu comes with a Letsencrypt client Certbot in its repository.
It is outdated. You can install the latest version of Certbot from Certbot's Ubuntu PPA (Personal Package Archive).
To add the repository, use the below command.
$ sudo add-apt-repository ppa:certbot/certbot
Then you have to update the package index. Use the below command to update the package index.
$ sudo apt-get update
At last, install the Certbot package using Certbot install command.
$ sudo apt-get install certbot
You have installed the Certbot. The next step is to obtain the certificates.
The Certbot has to solve a cryptographic challenge by the Let's encrypt to show that we have control over the domain.
Certbot uses the two ports port 80 or port 443.
Enable the port using the below command.
$ sudo ufw allow 80
If it is https connection, then use port 443.
Once you executed that command, you will get the following output.
Output Rule added Rule added (v6)
Execute the below command to make the Certbot to obtain the certificate.
$ sudo certbot certonly --standalone --preferred-challenges http -d example.com
Let me explain the command here.
The standalone mode tells the Certbot to use its own web server to solve the challenge by Let's Encrypt.
You can use this option to prefer http and https. If the port is 80, then you have to use --preferred-challenges http.
If you are using the port 443, then use --preferred-challenges tls-sni.
Here, the -d represents the domain for which you are trying to obtain the SSL certificate.
After executing the command, you will be asked to enter your email address and agree to the terms and services.
Once you are done with that steps, the output will state that the process was successful.
Also, it will show the location where the certificate has been stored.
Output IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at /etc/letsencrypt/live/example.com/fullchain.pem. Your cert will expire on 2017-10-23. To obtain a new or tweaked version of this certificate in the future, simply run certbot again with the "certainly" option. To non-interactively renew *all* of your certificates, run "certbot renew" - Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal. - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
Now, you got the certificate. Let us see how to use those the files with other software.
Configuring the application
Here, we cannot explain how to configure your application for the SSL here since all the applications are using the different options.
Let us see what files have been downloaded during the process.
Use the below command to list out the content of the directory where the keys and certificates are stored.
$ sudo ls /etc/letsencrypt/live/example.com
You will get the following output.
Output cert.pem chain.pem fullchain.pem privkey.pem README
If you want to know more information about each of the file, you can read this document for more detail.
This is the main thing in your SSL certificate. You have to keep it secret.
If you have watched the access level of /etc/letsencrypt, you might have noticed that the access to the folder is always restricted and it can be accessed by the root only.
The reference to this file will be mentioned as ssl-certificate-key or ssl-certificate-key-file.
This represents the certificate. The reference to this file in most of the software will be like 'ssl-certificate'.
You can get more information about the other files from this link.
Not all the software uses the default location of certificates.
Some software requires the certificate to be converted into other formats like we have converted the Let's encrypt SSL certificate native format to GoCD supporting the format.
Most of the time, we prefer to keep all the files inside the Letsencrypt directory.
Some software needs the location to be in another place.
Here in this situation, you have to write a script to convert or relocate the certificate.
The script will run every time when the certificate is renewed.
Certbot Automatic Renewals
SSL certificate from the Let's Encrypt valid for 90 days. After that, you have to renew the certificate using the Certbot Auto script for the renewal.
The Certbot did not give you that burden. When you download and install the Certbot, it also downloads a script to /etc/cron.d to automate the renewal process.
The script will check for the expiration of certificates two times per day. When a certificate has 30 days left to expire, this script will renew it automatically.
The task is not ended with this step. You have to make sure some other tasks are being carried out to make use of the new certificate.
We have to restart the server and if any software is using the SSL certificate, we have to fetch the new certificate to them.
This is where we will be using the renew_hook option from Certbot.
You have to update the Certbot's renewal configuration file.
$ sudo nano /etc/letsencrypt/renewal/example.com.conf
Add the renew_hook at the last line of the configuration file.
/etc/letsencrypt/renewal/example.com.conf renew_hook = systemctl reload rabbitmq
Here, you can use the systemctl to reload any service in the server.
After that, save and close the configuration file.
$ sudo certbot renew --dry-run
You should not see any error. If no errors, then you can move on. Certbot will run the necessary commands to run the updated.
In this Letsencrypt tutorial, you have seen the following things.
- Installing Certbot in the standalone mode
- Obtaining the Let's Encrypt SSL certificate
- Enabling the automatic renewal with renew_hooks
If you want to get more information, check the Certbot manual