On this guide I’ll explain how to create an SSL certificate with letsencrypt on Debian 8.
To enable HTTPS on your website, you need to get a certificate (a type of file) from a Certificate Authority (CA)
Letsencrypt is a CA, so it can issue SSL certificates for your websites.
Let’s start by setting up necessary packages.
First fully update your system, not just to guarantee you have the necessary dependencies, but to make sure you’re not affected by discovered exploits.
sudo apt-get update && apt-get upgrade
Now we will use jessie-backports repository to install letsencrypt.
Issue the following commands to add the new repository and make apt-get aware of the new available repository:
echo ‘deb http://ftp.debian.org/debian jessie-backports main’ | sudo tee /etc/apt/sources.list.d/backports.list
sudo apt-get update
Install the letsencrypt package:
sudo apt-get install python-certbot-apache -t jessie-backports
Note the “-t” argument I added, this is so that the installation is only made from jessie-backports repository, avoiding conflicts with other packages from another repositories.
Now I assume you have apache and firewall rules ready to accept SSL traffic, if not, you must take care of that.
Now let’s setup a certificate, you can do this in 2 ways.
One way of doing it, is by running the following command:
sudo certbot –apache
This will detect your apache configured domains, and you’ll just need to select the domains to setup a certificate, and follow the steps.
Another way is to specify a domain, in this case I’m doing it for a dummy domain, like this:
sudo certbot –apache -d test.com -d www.test.com
In this case I’ve specified test.com domain and www.test.com, you will then have to follow some steps:
You’ll be asked for a contact email address and if you want https access to be mandatory or also allow http.
You then can test the certificate by navigating to this address:
Your certificate is working!
Letsencrypt certificate have a short lifetime, they are only valid for 3 months.
To renew all your certificates, run the following command:
sudo certbot renew
or to renew only one specific domain:
sudo certbot renew –d test.com
To automate this task, you can create a cronjob that renews all your certificates regularly:
30 2 * * 1 /usr/bin/certbot renew >> /var/log/le-renew.log
This will renew all the expiring certificates, every month.
Now what if you want to issue an SSL certificate to use on a remote apache server?
Easy, you have to use the “certonly” and “manual” parameters like this:
certbot certonly –manual
And follow instructions, or pass all the parameters on the command, like this:
certbot certonly –manual –manual-public-ip-logging-ok –email firstname.lastname@example.org –agree-tos –domain yourdomain.com –domain www.yourdomain.com –rsa-key-size 2048
You will then need to place a file with a specific text on the remote webserver, when done press enter to resume the process and finish the certificate creation.
Now that the certificate is created you must copy the necessary files to the remote server and tell apache where they are.
Files are usually placed here: /etc/letsencrypt/live/, copy the files to the remote server and make the necessary changes on apache.