Let's Encrypt SSL Certificates

Getting SSL certificates with Let’s Encrypt

Linux Ops

Hello Y’all, today I’m gonna write a post about how to get free SSL certificates for your services using Let’s encrypt.

Let’s Encrypt is a non-profit certificate authority run by Internet Security Research Group that provides X.509 certificates for Transport Layer Security encryption at no charge.

In this tutorial I will tell you how to get certificates for your Nginx webserver using a tool called certbot.

This little guy will do all the trick to get a new certificate and modify nginx configuration automatically.

Installing certbot

In the certbot website, they have a little how to guide, telling how to install the tool. So I’m gonna follow the steps on their website. 🙂

The first step is choose the webserver and the Linux distribution you are using where you want to install the certificates.

In this example I’m gonna use Ubuntu Bionic and Nginx as webserver:

Nginx as webserver
Nginx as webserver

After it, the website will give instruction about how to install the certbot in the chosen OS.

I will post here the steps for installing on Ubuntu Bionic:

Certbot on Ubuntu Bionic (18.04)

First of all, you have to connect via SSH into your server:

ssh user@yourserver.com

In this example the chosen OS was Ubuntu, so I’m gonna add the Certbot PPA into the system:sudo apt-get update

sudo apt-get install software-properties-common
sudo add-apt-repository universe
sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update

Now it’s time to install the certbot, We have chosen Nginx as webserver, so we have to install the package specific for it:

sudo apt-get install certbot python-certbot-nginx

Acquiring the certificates

Now we have everything we need installed, it’s time to get our certificates! To do so, run this command:

sudo certbot --nginx

This command is will ask you some question, for example which domain you want to generate the SSL certificates and if you want the tool to auto-configure Nginx to use the certificate files.

Here I will put a GIF with the example of the certbot command:

Certbot command output
Certbot command output

The command output

  • The first step you set your email address, to in case you need to be contacted, they will reach you on your email address
  • Then accept the terms of usage. 🙂 Followed by the statement that if you want to share you email for EFF news, caimpaings and so on.

Now, the most important part, certbot will detect your Nginx configuration and tell you, for which names you want to get certificate.

  • In my case I have the domain and the subdomain, I select both, so in this case the certificate will be valid for both addresses.
  • After processing and get the new certificate, certbot have edited my Nginx virtualhost configuration file to add the entries for the SSL certificate files.
  • Also, it asked if I wanted to redirect all the traffic from http to https, I selected yes, so all the traffic will be redirected.

The Nginx VirtualHost configuration

After the changes made by the certbot, you virtual host file will look like this as a result:

server {
    server_name  thedevopsguide.com www.thedevopsguide.com;

    # ... Your other config here

    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/thedevopsguide.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/thedevopsguide.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot


}

server {
    if ($host = www.thedevopsguide.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    if ($host = thedevopsguide.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    listen 80;
    return 404; # managed by Certbot
}

In this case, I’ve got the SSL certificate files for the blog, that’s why the hosts are pointing to thedevopsguide.com.

But in your case, should point to your domain!

Notice that the second server entry is only for redirection. When and if the user access using HTTP, it will be redirected to HTTPS.

Renewing your certificates

Your brand new certificates has a expiry date of 90 days. After it you have to renew them.

And to do so, you just need to an entry in your crontab. First you need to execute:

sudo crontab -e

And then add this entry at the end:

0 12 * * * /usr/bin/certbot renew --quiet

As a result, certbot will try to renew the certificates every day, but in the first 89 days, the certificate still would be valid, so it won’t do anything.

Just when it’s needed then it will replace the files.

Final notes

In the end you should have something like this:

Valid certificate

That’s it guys, If you have any question, just drop us a comment. 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *