Letsencrypt Certificates - Simple Guide
Let’s Encrypt is a free and open certificate authority developed by (ISRG) & trusted by almost all browsers today.
Note: This guide is for Server administrators.
Let's Encrypt is a free and open certificate authority developed by Internet Security Research Group (ISGR). Certificates issued by this authority are trusted by almost all browsers like as chrome, Microsoft edge, internet explorer, firefox etc. One of the major benefits of these certificates is zero cost. You are a publishing a new blog, or a new simple website then you can get Let's encrypt certificate for free.
In this guide, we will explain step by step process to install a certificate on our website running on Nginx Web server.
You have an FQDN domain name pointing to your public IP. In this example, we will use example.com for domain and 192.168.10.120 for IP. You can buy a domain here or you can also get a free domain here.
Your DNS server is properly configured and it has following entry [record Name: Type: Value (example.com :A :192.168.10.120 & www.example.com: A: 192.168.10.120)]
You have working Nginx Server installed and configured. To install Nginx you can follow this guide.
You have root or sudo access and have enough knowledge of Linux commands
Update the packages index and install software-properties-common with
sudo apt update
sudo apt install -y software-properties-commo
I hope that you will understand what we had done, we install an app that will enable us to add new PPA
sudo add-apt-repository ppa:certbot/certbo
It will prompt you to press Enter, Hit Enter to complete the process
Remember that, whenever you add a new PPA, you have to update apt indexes again. To do so, run the following command
sudo apt update
Now it is time to install certbot, use the below command to install it
sudo apt -y install certbot python-certbot-nginx
Now we will start the process to get Let's Encrypt SSL certificate:
Please keep in mind following information about Let's Encrypt SSL certificates before trying to get one:
Let's Encrypt SSL certificates are free but they do not support wildcard domain e.g you can not get a certificate for *.example.com, you have to generate a separate certificate for each subdomain.
Let's Encrypt SSL certificates are valid for 3 months, you can renew them after every 3 months but you can not get a certificate for more than 3 months period e.g for 1 year etc.
Let's Encrypt SSL certificates issuing authority have some rate limits, before trying to get a certificate please read them carefully here. For now remember that if you failed to validate your domain 5 times, you will not able to create a new request for one hour.
Obtaining a Let’s Encrypt SSL certificate
Let's Encrypt certificate renewal authority needs to validate our ownership of the domain. They have to confirm that the person requesting the certificate for a domain really have access to this server, you must pass a challenge to prove you control each of the domain names that will be listed in the certificate. A challenge is one of three tasks that only someone who controls the domain should be able to accomplish:
Posting a specified file in a specified location on a website
Offering a specified temporary certificate on a website
Posting a specified DNS record in the domain name system.
Let's begin the fun part.
Type following commands in terminal
Note: please double check that in your Nginx config you had properly set server_name directive. In
server_name example.com www.example.com
One more thing to verify is if our Nginx server is active, please type below commands.
It should display "successful"
systemctl status nginx
It should confirm that Nginx is active and running.
Certbot provides many ways to obtain SSL certificates, through various plugins. The Nginx plugin will take care of reconfiguring Nginx and reloading the config whenever necessary.
Now to get certificate please type the following command:
sudo certbot --nginx -d example.com -d www.example.com
This runs the certbot with --
Now if you are running certbot for the first time for this domain, you will be prompted to enter an email address and agree to the terms of service. After doing so, certbot will communicate with the Let's Encrypt server, then run a challenge to verify that you control the domain you're requesting a certificate for
Note: If in the case for any reason, it fails to validate, please make sure that your web root directory for the specified domain is owned by www-data and writeable for this user
If that's successful, certbot will ask how you would like to configure your HTTPS settings
This is a sample output:
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
Select the appropriate number [1-2] then [enter] (press 'c' to cancel)
Just select your choice and hit enter. Certbot will update all configuration files and automatically reload Nginx to read new settings.
Upon success, certbot will print this information for you:
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/example.com/fullchain.pem. Your cert will
expire on 2019-01-23. To obtain a new or tweaked version of this
certificate in the future, simply run certbot again with the
"certonly" option. To non-interactively renew *all* of your
certificates, run "certbot renew"
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
Naughty Note: You should donate some bucks to support these organizations. :
Your website's SSL certificate has been installed and configured correctly and you should test it in the browser, simply put this address in the web browser and see if your certificate is working:
# then again
If both of above showing green https in address bar then you had done the process. Now one more step should be better, test certbot with the dry run to validate that if it will work for certificate renewal in futere by typing this command
sudo certbot renew --dry-ru
If everything goes well then your certbot is working properly.
Waiting for your comments.
Please share this article on social media to support my work.