In today’s world, where online security is of utmost importance, it is essential to have a secure website. SSL (Secure Sockets Layer) certificates play a vital role in securing websites by encrypting the data transferred between the website and the user. While SSL certificates were once costly and challenging to obtain, Let’s Encrypt and Certbot have made it possible for website owners to secure their websites for free.
What is Let’s Encrypt?
Let’s Encrypt is a non-profit certificate authority that provides free SSL certificates to website owners. Let’s Encrypt is unique in that it automates the entire process of issuing and renewing SSL certificates. The certificates issued by Let’s Encrypt are valid for 90 days and can be renewed automatically.
What is Certbot?
Certbot is an open-source software tool that automates the process of obtaining and renewing SSL certificates from Let’s Encrypt. Certbot is available for most web servers and operating systems, and it is easy to use, making it an excellent choice for website owners who are not familiar with SSL certificates.
Benefits of Let’s Encrypt and Certbot
The benefits of using Let’s Encrypt and Certbot to secure your website include:
- Free SSL Certificates: Let’s Encrypt provides free SSL certificates, making it accessible to website owners who may not have the budget to purchase an SSL certificate.
- Easy to Use: Certbot automates the entire process of obtaining and renewing SSL certificates, making it easy for website owners to secure their websites.
- Trusted Certificate Authority: Let’s Encrypt is a trusted certificate authority, so you can be confident that your SSL certificate is valid and secure.
- Better SEO: Google has announced that websites with SSL certificates will have better search engine rankings, making it essential for website owners to secure their websites.
Setting up Let’s Encrypt and Certbot
Setting up Let’s Encrypt and Certbot is a straightforward process that involves the following steps:
Prerequisites:
- sudo privileges.
- Stable internet connection.
First check server OS version then start installation as per OS version:
# egrep '^(VERSION|NAME)=' /etc/os-release
On Debian based family:
Steps to install certbot on Debian and Ubuntu
Install snap utility and configure it with below command:
# apt install snapd -y
# systemctl enable --now snapd.socket
# ln -s /var/lib/snapd/snap /snap
Ensure you have the latest snapd version installed:
# snap install core; snap refresh core
Next install Certbot with snapd:
# snap install --classic certbot
Create a Symbolic Link to ensure Certbot runs:
# ln -s /snap/bin/certbot /usr/bin/certbot
On Red Hat based family:
Steps to install certbot on Red Hat Enterprise Linux, CentOS, Oracle Linux, Rocky Linux and Amazon Linux.
Install EPEL Release as snapd package is only available through EPEL:
# yum install epel-release -y
Install snap utility and configure it with below command:
# yum install snapd -y
# systemctl enable --now snapd.socket
# ln -s /var/lib/snapd/snap /snap
Ensure you have the latest snapd version installed:
# snap install core; snap refresh core
Next install Certbot with snapd:
# snap install --classic certbot
Last create a Symbolic Link to ensure Certbot runs:
# ln -s /snap/bin/certbot /usr/bin/certbot
Getting certificates and choosing plugins
Now, Request SSL certificates from Let’s encrypt based on the web server. There is 4 methods to get a new SSL certificate, that depend on which web server running on your system. During the installation process, Certbot will prompt you for some basic information including email address and domain name if domain name is not mentioned.
So choose the correct method as per the environment:
1. No Web Server Running
In case, we don’t have any web server running. we can --standalone
option to complete the domain validation by stating a dummy web server. This option needs to bind to port 80 in order to perform domain validation.
# certbot certonly --standalone -d example.com --staple-ocsp -m [email protected] --agree-tos
You may specify multiple domains with -d
# certbot certonly --standalone -d example.com -d www.example.com --staple-ocsp -m [email protected] --agree-tos
2. Certbot with Nginx
For the Nginx web server, use the below command to request the SSL certificates. For latest Nginx installation click here.
Request a certificate and automatically configure it on Nginx (recommended):
# certbot --nginx
Or
# certbot --nginx -d example.com -d www.example.com
Request a certificate without configuring Nginx:
# certbot certonly --nginx -d example.com -d www.example.com
3. Certbot with Apache
For the Apache web server, execute the following command. This will list all the domains/sub-domains configured on your web server. Select appropriate numbers to request a certificate.
Request a certificate and automatically configure it on Apache (recommended):
# certbot --apache
Or
# certbot --apache -d example.com -d www.example.com
Request a certificate without configuring Apache:
# certbot certonly --apache -d example.com -d www.example.com
4. Some other Web Server Running
For the system having any other web servers running except Apache or Nginx. Then you can get the certificate only and configure them manually.
# certbot certonly --webroot --agree-tos --no-eff-email --email [email protected] -w /var/www/_letsencrypt -d example.com -d www.example.com
While using the above commands, the domain must be pointed to the server in DNS. Also, ensure that /.well-known/acme-challenge is served by the web server.
If the above operation is successful, Certbot confirms the certificates are enabled and outputs the details. It also displays some information about the directories /etc/letsencrypt/live/example.com
where the certificates .pem and .key are stored, along with the expiration date.
Note : Do not forgot to restart or reload web server configuration after successful operation.
Renewing a SSL Certificate
Let’s Encrypt certificates expire after 90 days. To prevent SSL from expiring we need to renew certificate.
Test Renewals
# certbot renew --dry-run
If we receive no errors, you’re all set for certificate renewal.
# certbot renew
Note : After renewal process we need to restart or reload web server configuration
# systemctl reload your_webserver_service
Conclusion
Let’s Encrypt is a certificate authority that provides free SSL certificates for public website domains. We can issue certificates for any number of domains for free. Certbot is a command line utility that helps to manage Let’s Encrypt SSL certificates. With the help of certbot we can issue a new certificate, and renew it.