- Published on
How to Secure Your Website with Free SSL Certificates for a Lifetime
- Authors
- Name
- Ihar Finchuk
- @ifdotcodes
Introduction
Let’s Encrypt certificates have revolutionized internet security by providing free, automated, and widely trusted SSL/TLS certificates. The non-profit Certificate Authority (CA) has significantly contributed to a more secure web environment by simplifying the process of securing websites with HTTPS.
Let’s Encrypt certificates are typically valid for a period of 90 days. This short validity period is intentional and serves a specific purpose: it encourages automated renewal processes and promotes frequent updates to maintain robust security standards.
Certificates are normally generated through an automated API. The most popular Let’s Encrypt client is Certbot
which provide access to the Let’s Encrypt service through an automated API. Certbot simplifies the process of obtaining, managing, and deploying these certificates on various web servers. It offers a user-friendly interface and supports multiple operating systems, making it accessible to a broad spectrum of users. The robust automation capabilities of Certbot enable website owners to easily request, install, and periodically renew certificates, ensuring their websites maintain secure and encrypted connections. Additionally, Certbot's integration with various web servers and its capacity to handle intricate configuration details further solidifies its status as the go-to choice for many individuals and organizations seeking to implement Let’s Encrypt certificates seamlessly and efficiently.
Apache
Install Certbot: First, ensure Certbot is installed on your system. The exact command might vary depending on your operating system. For instance, on Ubuntu, you can use:
sudo apt-get update sudo apt-get install certbot python3-certbot-apache
Adjust the commands according to your system's package manager.
Allow Certbot Through the Firewall (if necessary): Ensure that your firewall settings allow traffic on ports 80 (HTTP) and 443 (HTTPS) to validate the domain ownership.
Run Certbot: Use the command to generate the SSL certificate. Replace
example.com
with your domain:sudo certbot --apache -d example.com -d www.example.com
The
--apache
flag specifies that you're using Apache, and-d
indicates the domain name for the certificate. Add more-d
flags for additional domain names or subdomains.Interactive Prompt: Certbot will prompt you for some information and provide options for configuration. It will ask for an email address for renewal reminders and terms of service agreement.
Select the Configuration: Certbot will then display a list of virtual hosts that it detected in your Apache configuration. It will ask you to choose which hosts you want to secure with SSL/TLS. Select the appropriate numbers corresponding to the virtual hosts you want to secure and press Enter.
Verification and Installation: Certbot will then communicate with the Let’s Encrypt server to verify the domain ownership. If successful, it will automatically edit your Apache configuration to enable the SSL certificate. Once done, it will also configure the HTTPS settings.
Test and Verify: Check your website by accessing it via HTTPS to ensure the certificate installation was successful. You can do this by entering your domain with
https://
in your web browser (e.g.,https://example.com
).Automate Certificate Renewal: Certbot will set up an automatic renewal job. To test the renewal process, you can use:
sudo certbot renew --dry-run
Ensure to adjust these instructions according to your specific server setup, operating system, and configurations.
Remember, these instructions are general guidelines. Ensure to adapt the commands and flags as necessary based on your specific server setup and operating system.
Nginx
Install Certbot: Make sure Certbot is installed on your system. The process may differ based on your operating system. For instance, on Ubuntu, you might use:
sudo apt-get update sudo apt-get install certbot python3-certbot-nginx
Adjust the commands according to your system's package manager.
Allow Traffic Through the Firewall: Ensure your firewall settings allow traffic on ports 80 (HTTP) and 443 (HTTPS) for the domain validation process.
Run Certbot: Use the following command to generate the SSL certificate. Replace
example.com
with your domain:sudo certbot --nginx -d example.com -d www.example.com
The
--nginx
flag indicates that you are using Nginx as your web server, and-d
specifies the domain name for the certificate. Add more-d
flags for additional domain names or subdomains.Interactive Prompt: Certbot will prompt you for information and provide options for configuration. It will ask for an email address for renewal reminders and terms of service agreement.
Select the Configuration: Certbot will detect the Nginx server blocks for your domains and present them to you. You'll be prompted to choose which domains you want to secure with SSL/TLS. Select the appropriate numbers corresponding to the server blocks you wish to secure and press Enter.
Verification and Installation: Certbot will communicate with the Let’s Encrypt server to verify domain ownership. If successful, it will automatically edit your Nginx configuration to enable the SSL certificate and configure the HTTPS settings.
Test and Verify: Check your website by accessing it via HTTPS to ensure the certificate installation was successful. Use your domain with
https://
in your web browser (e.g.,https://example.com
).Automate Certificate Renewal: Certbot will set up an automatic renewal job. To test the renewal process, you can use:
sudo certbot renew --dry-run
Ensure to adjust these instructions according to your specific server setup, operating system, and configurations.
Webroot
mode can be used
For complex web applications, If none of Apache or Nginx plugin works for your infrastructure, here's how to configure Certbot in webroot mode:
Install Certbot: Ensure Certbot is installed on your system. For example, on Ubuntu:
sudo apt-get update sudo apt-get install certbot
Run Certbot in Webroot Mode: Use the following command to run Certbot in webroot mode:
sudo certbot certonly --webroot -w /path/to/your/webroot/directory -d yourdomain.com -d www.yourdomain.com
--webroot
: Specifies the webroot plugin for authentication.-w /path/to/your/webroot/directory
: Indicates the root directory of your web server where Certbot will place the validation files.-d yourdomain.com -d www.yourdomain.com
: Specifies the domain names for which you want to generate certificates. You can add more-d
flags for additional domains or subdomains.
Respond to Prompts: Certbot will prompt you for an email address and terms of service agreement.
Place Challenge Files in Webroot Directory: Certbot will generate a specific file or files that need to be placed in the
.well-known/acme-challenge
directory within your webroot directory. Certbot will handle this for you if you've correctly provided the webroot path.Validation and Certificate Generation: Certbot will use these files to validate your control over the domain. If successful, it will generate SSL/TLS certificates for the specified domains.
Certificate Locations: Once the certificates are generated, Certbot will typically place them in the
/etc/letsencrypt/live/yourdomain.com
directory or a similar location on your system.
Remember to replace /path/to/your/webroot/directory
with the actual path to your web server's root directory where you'll store the validation files.
The webroot method is particularly useful in scenarios where you cannot or prefer not to temporarily modify your web server configuration, as it only requires access to the web server's file system.
Check auto-regeneration is enabled
After check that --dry-run
regeneration works, need to ensure - there is a timer installed, by systemctl list-timers
command:
systemctl list-timers
NEXT LEFT LAST PASSED UNIT ACTIVATES
Fri 2023-10-27 17:09:00 UTC 17min left Fri 2023-10-27 16:39:02 UTC 12min ago phpsessionclean.timer phpsessionclean.service
Fri 2023-10-27 19:35:21 UTC 2h 43min left Fri 2023-10-27 10:26:51 UTC 6h ago apt-daily.timer apt-daily.service
Fri 2023-10-27 20:14:00 UTC 3h 22min left n/a n/a snap.certbot.renew.timer snap.certbot.renew.service
Fri 2023-10-27 20:14:38 UTC 3h 23min left Fri 2023-10-27 14:00:06 UTC 2h 51min ago ua-timer.timer ua-timer.service
Fri 2023-10-27 21:00:05 UTC 4h 8min left Fri 2023-10-27 12:22:57 UTC 4h 28min ago fwupd-refresh.timer fwupd-refresh.service
Sat 2023-10-28 00:00:00 UTC 7h left Fri 2023-10-27 00:00:06 UTC 16h ago logrotate.timer logrotate.service
After some time also can check logs:
journalctl -u snap.certbot.renew.timer