Menu

Letsencrypt – SSL Certificates for everyone

May 17, 2017 - Guides, Linux, Security
Letsencrypt – SSL Certificates for everyone

 

On this guide I’ll explain how to create an SSL certificate with letsencrypt on Debian 8.

 

 

To enable HTTPS on your website, you need to get a certificate (a type of file) from a Certificate Authority (CA)

Letsencrypt is a CA, so it can issue SSL certificates for your websites.

Let’s start by setting up necessary packages.

 

First fully update your system, not just to guarantee you have the necessary dependencies, but to make sure you’re not affected by discovered exploits.

Security first!

 

sudo apt-get update && apt-get upgrade

 

Now we will use jessie-backports repository to install letsencrypt.

Issue the following commands to add the new repository and make apt-get aware of the new available repository:

echo ‘deb http://ftp.debian.org/debian jessie-backports main’ | sudo tee /etc/apt/sources.list.d/backports.list

 

sudo apt-get update

 

Install the letsencrypt package:

sudo apt-get install python-certbot-apache -t jessie-backports

 

Note the “-t” argument I added, this is so that the installation is only made from jessie-backports repository, avoiding conflicts with other packages from another repositories.

 

Now I assume you have apache and firewall rules ready to accept SSL traffic, if not, you must take care of that.

 Now let’s setup a certificate, you can do this in 2 ways.

One way of doing it, is by running the following command:

 

sudo certbot –apache

 

This will detect your apache configured domains, and you’ll just need to select the domains to setup a certificate, and follow the steps.

 

Another way is to specify a domain, in this case I’m doing it for a dummy domain, like this:

sudo certbot –apache -d test.com -d www.test.com

 

In this case I’ve specified test.com domain and www.test.com, you will then have to follow some steps:

You’ll be asked for a contact email address and if you want https access to be mandatory or also allow http.

 

You then can test the certificate by navigating to this address:

https://www.ssllabs.com/ssltest/analyze.html?d=test.com

 

Your certificate is working!

 

Letsencrypt certificate have a short lifetime, they are only valid for 3 months.

To renew all your certificates, run the following command:

sudo certbot renew

 

or to renew only one specific domain:

sudo certbot renew –d test.com

 

To automate this task, you can create a cronjob that renews all your certificates regularly:

30 2 * * 1 /usr/bin/certbot renew >> /var/log/le-renew.log

 

This will renew all the expiring certificates, every month.

Now what if you want to issue an SSL certificate to use on a remote apache server?

 

Easy, you have to use the “certonly” and “manual” parameters like this:

certbot certonly –manual

 

And follow instructions, or pass all the parameters on the command, like this:

certbot certonly –manual –manual-public-ip-logging-ok –email you@yourdomain.com –agree-tos –domain yourdomain.com –domain www.yourdomain.com –rsa-key-size 2048

 

You will then need to place a file with a specific text on the remote webserver, when done press enter to resume the process and finish the certificate creation.

 

Now that the certificate is created you must copy the necessary files to the remote server and tell apache where they are.

 

Files are usually placed here: /etc/letsencrypt/live/, copy the files to the remote server and make the necessary changes on apache.

Please follow and like me at:

Leave a Reply

Your email address will not be published. Required fields are marked *