Free Let's Encrypt SSL certificate for your website
Free Let's Encrypt SSL certificate for your website
SSL certificates are used within web servers to encrypt the traffic between the server and client, providing extra security for users accessing your application. You have a limited budget and you can’t afford to buy a certificate issued by a trusted CA? Let’s Encrypt provides an easy way to obtain and install trusted certificates for free.
This tutorial describes process of setting up a Let’s Encrypt TLS/SSL certificate for Apache web server running on Debian 8.
Prerequisites
This article is dedicated, to the process of certificate installation on running Apache server. This means that you will need to have an apache server installed and configured, with domain name assigned.
Once you are ready to move on, login to your server using your sudo-enabled account.
1. Installing certbot client
Let's Encrypt certificates are fetched via certbot client software running on your server. This client will automatically obtain and install a new SSL certificate that is valid for the domains.
In order to install Let’s Encrypt client software named certbot on your server you need to add its repository to apt sources. This can be done with following command:
$ echo 'deb http://ftp.debian.org/debian jessie-backports main' | sudo tee -a /etc/apt/sources.list
As you just added new repository, you will have to update apt packet manager, so it will download information about new packets available:
$ sudo apt-get update
Now, you are ready to install python-certbot-apache package in your system:
$ sudo apt-get install python-certbot-apache
The certbot client should now be ready to use.
2. Updating Apache configuration
In this step, we will update Apache configuration in the way, it will allow certbot to read information about domains that we wish to secure from the Apache configuration itself. To do so, open the default Apache Virtual Host file, where we will set our domain names:
$ sudo nano /etc/apache2/sites-available/000-default.conf
Inside this file, int the Virtual Host block, find and uncomment (remove # character from the beginning of line) the ServerName directive and change it's value to your domain name:
----- snip -----
# redirection URLs. In the context of virtual hosts, the ServerName
# specifies what hostname must appear in the request's Host: header to
# match this virtual host. For the default virtual host (this file) this
# value is not decisive as it is used as a last resort host regardless.
# However, you must set it for any further virtual host explicitly.
ServerName about-it.eu
----- snip -----
Once you are finished, close the file by pressing CTRL + X buttons, press Y to save changes and confirm with Enter.
You can check if syntax of the file is correct, with following command:
$ sudo apache2ctl configtest
3. Updating firewall rules
If your Apache server is already hosting a website, most probably you have updated firewall configuration to improve server security. Realize, that your unprotected website was available on default HTTP port, which is 80. SSL secured version of HTTP protocol, named HTTPS uses port 443 by default. That's why we will need to add firewall rule to allow incoming connections to this port.
In UFW you can verify current firewall settings with command:
$ sudo ufw status
To enable both HTTP and HTTPS traffic, you can simply allow "WWW Full" application profile:
$ sudo ufw allow 'WWW Full'
4. Setup the SSL Certificate
As I already mentioned, we will use certbot tool to generate certificates for domains that are set in our apache configuration. To execute the interactive installation and obtain a certificate, type following command:
$ sudo certbot --apache
This command will start a certificate wizard. It will prompt you to select appropriate domain, e-mail address used for urgent renewal and security notices, agree license terms, and if access to website via HTTPS should be required or optional.
Congratulations! Your website is now protected with SSL!
Note that you can find the generated certificate files in /etc/letsencrypt/live directory. Additionally, you can check the status of your SSL certificate by visiting following link (replace your_website.com with your domain name):
https://www.ssllabs.com/ssltest/analyze.html?d=your_website.com&latest
5. Certificate renewal
Let's encrypt certificates are valid for 90 days - keep in mind, that after this period, your certificate will expire. It's highly recommended to renew certificates every 60 days. The certbot tool we used for generating our certificates has one more useful feature. It provides parameter that automatically tries to renew certificates that will expire in less than 30 days.
Renewal process for all installed domain certificates can be triggered with following command:
$ sudo certbot renew
You probably will not like the fact that you will have to renew the certificate at least four times a year, right? Don't worry! You can easily set up a cron job that will do this for you. To do so, type following command in terminal:
$ sudo crontab -e
Select option 1 to open crontab with nano text editor, and add following content in new line at the end of the file:
45 3 * * 1 /usr/bin/certbot renew >> /var/log/le-renew.log
Once you are finished, close the file by pressing CTRL + X buttons, press Y to save changes and confirm with Enter.
We just have created a new cron job. It will automatically renew your certificate using certbot tool every Monday at 3:45 AM.