SSL Certificates are small data files that digitally bind a cryptographic key to an organisation’s details. When installed on a web server, it activates the padlock and the https protocol and allows secure connections from a web server to a browser. Typically, SSL is used to secure credit card transactions, data transfer and logins, and more recently is becoming the norm when securing browsing of social media sites.
Why Do I Need an SSL Certificate?
SSL Certificates protect our sensitive information such as credit card information, usernames, passwords etc.
- Keeps data secure between client and servers.
- Increases website Google Rankings.
- Build/Enhance customer trust.
- Improve conversion rates.
Switch to root user and use below commands to add letsencrypt cert repository, install the certificate tool and dependencies :
$ sudo apt-get update $ sudo apt-get install software-properties-common $ sudo add-apt-repository ppa:certbot/certbot $ sudo apt-get update
If you have apache webserver then install certbot for apache using below command:
$ sudo apt-get install python-certbot-apache
If you have nginx webserver then install certbot for nginx using below command:
$ sudo apt-get install python-certbot-nginx
STEP 2: GENERATE CERTIFICATE FOR DOMAIN OR DOMAINS
You can generate certificate for one or multiple domains through a single command. After running the command certbot client will automatically obtain cert or certs as per list provided in command. The first domain in list is base domain and then you can keep subdomains or aliases.
$ sudo certbot --apache -d example.com -d www.example.com
$ sudo certbot --nginx -d example.com -d www.example.com
The generated certificate files and private key will get stored under /etc/letsencrypt/live. There will be directories created for domains under /etc/letsencrypt/live directory. The changes related to apache, nginx configuration for domains will get automatically added in respective domain configurations under /etc/nginx/sites-available or /etc/apache2/sites-available directory. Running above commands will add up respective rules for ssl as well in the configuration files.
Check on : https://www.ssllabs.com/ssltest/analyze.html?d=www.example.com
STEP 3 — VERIFYING CERTBOT AUTO-RENEWAL
Let’s Encrypt certificates are valid only for 90 days. But, the certbot package that is installed takes care of renewing twice a day through systemd timer. On non-systemd distributions you can set the renewal through cron script placed in /etc/cron.d. This task runs twice per day and will renew certificates that are to be expired within 30 days.
To test the certificate renewal process, you can use below command to dry run with certbot:
$ sudo certbot renew --dry-run
If you receive no errors, you’re all done. In the renewal process, Certbot will renew your certificates and reload Apache to keep up the changes. If this process fails, then Let’s Encrypt will trigger an email to the address you specified, with a message when your certificate is about to expire.
Incase you get some error in cert validation or http01 challenge, please looks into your dns entries for ipv4 and ipv6 records, are they pointing to same server or not. Also if your ipv6 and ipv are responding on port 80 and 443 or not.
Related Links :