Obtaining a free SSL certificate from Let’s Encrypt
Let’s Encrypt is a service offering free SSL certificates.
The procedure for obtaining, installing and configuring a certificate for automatic renewal is fully automated through the Certbot software client.
To obtain a free certificate from Let’s Encrypt, do the following:
-
install Certbot client;
-
configure Nginx;
-
set up access to HTTPS through the firewall;
-
obtain an SSL certificate;
-
check Certbot automatic renewals.
Installation of Certbot client
To install the Certbot client, use the following command:
$ sudo apt install certbot python3-certbot-nginx
After the installation is complete, Certbot is ready to use.
Then you need to configure the Nginx web server.
Nginx configuration
To allow Certbot to configure SSL automatically, you need to set up the server block in the Nginx configuration. For this, you need to specify the server_name
directive that corresponds to the domain for which the certificate is requested.
Open your domain configuration file in a text editor (for example, nano
):
$ sudo nano /etc/nginx/sites-available/example.com
In the server_name
line, specify the registered domain name, for example:
server_name example.com www.example.com;
Save changes then close the editor and check the syntax of your changes:
$ sudo nginx -t
If an error message is displayed, open the server block file and check it for errors. |
To finish the procedure, restart Nginx to load the new configuration:
$ sudo systemctl reload nginx
After that, Certbot can find the server block and update it automatically.
Setting up HTTPS Access Through Firewall
To allow HTTPS traffic on the web server, you need to configure your firewall.
Example of a command that displays current settings of the ufw firewall:
$ sudo ufw status
If only HTTP traffic is allowed on the web server, the result will look like this:
Output
Status: active
To Action From
-- ------ ----
OpenSSH ALLOW Anywhere
Nginx HTTP ALLOW Anywhere
OpenSSH (v6) ALLOW Anywhere (v6)
Nginx HTTP (v6) ALLOW Anywhere (v6)
After that, you need to enable the Nginx Full profile and delete the Nginx HTTP profile.
Example for the ufw firewall:
$ sudo ufw allow 'Nginx Full'
$ sudo ufw delete allow 'Nginx HTTP'
The result should look like this:
Output
Status: active
To Action From
-- ------ ----
OpenSSH ALLOW Anywhere
Nginx Full ALLOW Anywhere
OpenSSH (v6) ALLOW Anywhere (v6)
Nginx Full (v6) ALLOW Anywhere (v6)
Obtaining an SSL certificate
Start Certbot with the --nginx
parameter/ Use the -d
option to specify the domain name for which you want to use the certificate, for example:
$ sudo certbot --nginx -d example.com
If Certbot is running for the first time, you will be prompted to provide an email address and accept the terms of service. After that, Certbot will contact the Let’s Encrypt server and verify the ownership of the domain for which the certificate is requested.
After that, Certbot will request the necessary HTTPS configuration parameters:
Output
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel):
After you select the necessary option, the configuration will be updated. Nginx will restart for the new settings to take effect.
Once the process is complete, Certbot will display a notification message with the information where your certificate is stored:
Output
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/example.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/example.com/privkey.pem
Your cert will expire on 2020-08-18. To obtain a new or tweaked
version of this certificate in the future, simply run certbot again
with the "certonly" option. To non-interactively renew *all* of
your certificates, run "certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
After this process is complete, your certificate is downloaded, installed and activated.
Setting up Certbot automatic renewals
Certificates from Let’s Encrypt are valid for 90 days. The Certbot client adds a systemd
timer that runs twice a day and automatically renews all certificates that are less than 30 days old.
To check the status of the timer, run the following command:
$ sudo systemctl status certbot.timer
Output
● certbot.timer - Run certbot twice daily
Loaded: loaded (/lib/systemd/system/certbot.timer; enabled; vendor preset: enabled)
Active: active (waiting) since Mon 2020-05-04 20:04:36 UTC; 2 weeks 1 days ago
Trigger: Thu 2020-05-21 05:22:32 UTC; 9h left
Triggers:
● certbot.service
To verify the update process, you need to run the following command:
$ sudo certbot renew --dry-run
Certbot will automatically renew certificates and reload Nginx for the changes to take effect. If the automatic renewal fails, you will receive a warning message saying that the certificate is about to expire. The message will be sent to the email address that you provided. |