Getting Started with Let’s Encrypt and SSL Certificates

Introduction
Movements like HTTPS Everywhere are working to get all sites on HTTPS. Google is one of the major backers of this movement and will eventually mark all regular HTTP sites as insecure by default in their Chrome browser (see more here). It is important that everyone secure their websites so we can all enjoy a safer Internet.

This is where Let’s Encrypt comes in. From https://letsencrypt.org/about/: “Let’s Encrypt is a free, automated, and open certificate authority (CA), run for the public’s benefit. Let’s Encrypt is a service provided by the Internet Security Research Group (ISRG).” This means that anyone can request and receive a free SSL certificate to enable secure HTTP traffic. Now that there is no cost needed to receive a certificate, everyone can and should enable HTTPS on their websites.

This guide walks you through the basics of getting and applying a Let’s Encrypt SSL certificate to an existing web server. It assumes you already have the web server ready and the DNS records set appropriately. Since this is a getting started guide, we will stick with the Certbot recommended by Let’s Encrypt. There are many other solutions or you can even create your own. See here for more information on other clients.

Getting Certbot

Install the Certbot Client. You can get instructions on how to install (and use!) Certbot from the EFF (Electronic Frontier Foundation) for free right here: https://certbot.eff.org/

Select your webserver from the drop down and your operating system. For our example, we’re going to use Apache on CentOS 7.

Per the instructions provided by the EFF, you can install Certbot with the EPEL (Extra Packages for Enterprise Linux) repository. Run the commands as listed by the EFF to make sure the repository and Certbot package get installed.

sudo yum install epel-release
sudo yum install python-certbot-apache
Setting up SSL
Automated Setup

Certbot has a very good Apache plugin and can, most of the time, automatically verify your domain and modify your web server configuration for SSL.

To use Certbot, you need to run it as a user with permissions to modify your web server configuration (if you’re not sure, just use sudo to run it as root, as shown in our example).

To let Certbot automatically set up your Apache server, all you need to do is run the following command:

sudo certbot --apache

Most of the time this will be all you need to do. Assuming your domain is already set up and prepared (as this guide assumes), the Certbot can adjust your configuration and verify your domain all automatically!

Manual Setup

What if the automated setup doesn’t work or you don’t want it to automatically adjust your web server settings? Follow the rest of these steps for a manual install. Example commands are below the steps.

Use Certbot to verify your domain and create the SSL certificates.

Once this completes, the SSL certificates are installed to /etc/letsencrypt/live/example.com. You can see several files in that directory, but you only really need two of them:

privkey.pem – This is the private key for the certificate (needed for Apache SSLCertificateKeyFile)

fullchain.pem – All certificates, including the one in cert.pem (needed by Apache 2.4.8 and newer for SSLCertificateFile)

Now you need to set up your host configuration to use the new certificates. Edit the .conf file for your website and add a configuration like the one below to add the appropriate lines for you to serve the new SSL certificates. This allows users to browse your site securely with SSL!

Make sure you also allow traffic for HTTPS on port 443 in your firewall, if you have not already. If you’re using firewalld (which you should be with CentOS 7, as in this example) run the below commands.

Verify domain and create SSL certificates:

sudo certbot --apache certonly

Virtual Host example:

<VirtualHost *:443> 
[Webserver setup. DocumentRoot, ServerName, etc. You should already have this information for your website for port 80 and regular web traffic.]
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/[yourdomain].com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/[yourdomain].com/privkey.pem
</VirtualHost>
Open firewall port for HTTPS:
sudo firewall-cmd --permanent --add-service=https
sudo firewall-cmd --reload

You can test your site by going to https://[yourdomain].com If it works, congratulations! You now have a site secured with SSL! If not, try going back through the instructions and make sure you didn’t skip a step or mistype any information.

If you have problems or other issues, try reading the Let’s Encrypt or Certbot documentation:

Let’s Encrypt

Certbot

Certificate Renewal

So now you’ve got your certificate installed and are happily serving HTTPS traffic. That’s great! Unfortunately, as part of the Let’s Encrypt security, the certificate you receive is only good for 3 months! You obviously don’t want your website to become insecure after only 3 months so that means you need to be prepared to renew the certificate.

Manual Renewal

Certbot makes this extremely easy. Simply run the below command and it will automatically renew any certificates that expire within 30 days:

sudo certbot renew

This automatically attempts to use the same options and plugins as when you originally created the certificate to renew the expiring certificate(s). If anything has changed, you will not be able to use this option for renewal. You can also provide some flags to this command like ‘–force-renewal’, which changes from attempting to renew expiring certificates to attempt all renewal on all certificates. Note that options you pass to this command apply to EVERY certificate renewal attempted with this. If you have multiple certificates for multiple web sites, then all of them will be renewed with the same options. If your server setup has changed, or you want to provide different options for the certificate, you can also simply re-run step 1 from Manual Setup above and that works as well.

Automating Renewal

While the Manual Renewal process is generally rather simple and easy to do, automating it for one less thing to remember is even better!

The easiest way to automate renewal is simply to have the Manual Renewal command run in a cron job. This way, you can very easily customize when it runs and how often. If you do not already have cron installed, run this to install, enable, and start it in CentOS 7:

sudo yum install -y cronie
sudo systemctl enable crond
sudo systemctl start crond

Now that you’ve got cron installed and started, you need to create a crontab file to run the Certbot renewal command. Decide when and how often you want to run the renewal. Since it automatically attempts to renew certificates that expire within 30 days, make sure it is at least that often. I suggest doing it more often in case there are issues. You still have some time to fix any problems or try again by running it more often than the bare minimum. Run this command to edit the root user crontab file, the add the line beneath it to schedule Certbot’s attempt at renewal on expiring certificates every Sunday at midnight.

sudo crontab -e
0 0 * * sun /usr/bin/certbot renew

You can also have the cron job output the results to a file by re-directing the output. This way you can review the results and check for failed attempts or errors. Change the crontab line to this and it redirects the output of the last run of the job to the file /log/cert-renew-results.

0 0 * * sun /usr/bin/certbot renew > /log/cert-renew-results
Conclusion

That’s it! Now that you’ve installed the certificates and set up renewal, you’re finished. Following these instructions, with slight modifications for other webservers (like nginx) or distributions (like Ubuntu), will allow you to start serving SSL traffic on your website. Note that while SSL is more secure and helps verify the identity of a website, it is only the beginning of website security. There are many more steps to properly secure a website, but this helps you serve secure traffic and everyone should use this whenever possible.

Sources:

Much of this content was adapted or pulled from the excellent documentation at https://certbot.eff.org/ and https://letsencrypt.org/ Visit those sites for additional information and help.on



  • post-author-pic
    Sean G
    11-14-2016

    Note: You can also see this information on our Blog! https://linuxacademy.com/blog/linux/7443/

  • post-author-pic
    Martin C
    11-19-2016

    I need to try that in our dev environment soon. Would you recommend using this in prod env also ?

  • post-author-pic
    Md. Monzurul Houqe Z
    12-11-2017

    I think you can use letsencrypt for production environment as we are using for a reputed customer of our company  @tecnicIT . You may need to write script for automation purpose and should be tested.

  • post-author-pic
    Stephen E
    12-15-2017

    Thank you for this, really gettings me thinging about a soultion to a problem I'm currently having with certs.

  • post-author-pic
    Lethargos A
    12-20-2017

    Let's encrypt doesn't add any timestamps when the certificate is or is not due for renewal. I'd suggest adding something like ; date >> /var/log/cert-renew-results in crontab.
    It might not be the cleanest of solutions, but it could be a way of doing it.
    This is how it looks without any timestamps:

    The following certs are not due for renewal yet:

    /etc/letsencrypt/live/domain.com/fullchain.pem (skipped)

    No renewals were attempted.

    -------------------------------------------------------------------------------

    -------------------------------------------------------------------------------

    Processing /etc/letsencrypt/renewal/domain.com.conf

    -------------------------------------------------------------------------------

    -------------------------------------------------------------------------------

    new certificate deployed without reload, fullchain is

    /etc/letsencrypt/live/domain.com/fullchain.pem

    -------------------------------------------------------------------------------

    It's not very helpful without timestamps, especially if you do it as often as once a week (I'd say once a month would be enough).

Looking For Team Training?

Learn More