Lets Encrypt is an awesome free service which allows anyone to create free SSL certificates to secure their website and as of January 2018 they will be doing Wildcard certificates!
https://letsencrypt.org/2017/07/06/wildcard-certificates-coming-jan-2018.html
The importance of secure SSL encrypted websites can not be overstated – even when you are not handling credit card information Google and Chrome much prefer HTTPS – from improved search ranking to insecure Chrome warnings it is becoming a necessity.
There are two main ways to create and install certificates, the easy way and the harder way.
I will go over both because I have had to install both – one was a cPanel website which had no direct Letsencrypt integration and no shell access and the other one was a Linux server I had shell access to which was significantly easier.
Manual Installation of certificates
For the manual installation you will need the following:
- A linux server with internet / SSH server access
- FTP access to the website you want to install the certificate to
- cPanel access to the website you want to install the certificate to
On the Linux server install certbot – in this case I am using CentOS 7:
yum install certbot -y
This will install certbot.
Now you will need to create the certificates manually and upload to the webserver.
certbot certonly –manual –preferred-challenges http
This is the output where it asks you the domain name(s) and to confirm that it is OK for the IP address of the server you are running on it to be logged is on.
You must agree before it will continue.
I have used example.com as an example but use your own domain at this point.
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Please enter in your domain name(s) (comma and/or space separated) (Enter ‘c’
to cancel): example.com
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for example.com
——————————————————————————-
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you’re running certbot in manual mode on a machine that is not
your server, please ensure you’re okay with that.
Are you OK with your IP being logged?
——————————————————————————-
(Y)es/(N)o: y
——————————————————————————-
Create a file containing just this data:
UeEvG1GQGw2r5V84fSnvLtc4DssgLdLnZHO_2ovhu0g.Xe_28x_cmVhSy8XJi7kGDXDB6scmmjaHp6evrmxiMXw
And make it available on your web server at this URL:
http://example.com/.well-known/acme-challenge/UeEvG1GQGw2r5V84fSnvLtc4DssgLdLnZHO_2ovhu0g
——————————————————————————-
Press Enter to Continue
Now you need to create a new file as per the above instructions. You can do this with the following command:
echo “UeEvG1GQGw2r5V84fSnvLtc4DssgLdLnZHO_2ovhu0g.Xe_28x_cmVhSy8XJi7kGDXDB6scmmjaHp6evrmxiMXw” >> UeEvG1GQGw2r5V84fSnvLtc4DssgLdLnZHO_2ovhu0g
Now you need to download this file and upload it to the FTP server.
In my case Public_html is the directory on my host that contains all website data, so you will need to change into this directory and create the directory:
.well-known/
and then acme-challenge/ within it.
Once these directories have been created you can upload the file UeEvG1GQGw2r5V84fSnvLtc4DssgLdLnZHO_2ovhu0g to this directory and proceed to the next step.
On the server press enter and it will create the certificates.
Waiting for verification…
Resetting dropped connection: acme-v01.api.letsencrypt.org
Resetting dropped connection: acme-v01.api.letsencrypt.org
Cleaning up challenges
IMPORTANT NOTES:
– Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/example.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/example.com/privkey.pem
Your cert will expire on 2018-01-03. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
“certbot renew”
Now you can copy and paste the contents of the newly created keys into cPanel.
Login to cPanel > Security > SSL/TLS > Install and Manage SSL for your site (HTTPS)
On your Linux server, run:
cat /etc/letsencrypt/live/example.com/cert.pem
then copy the contents and paste it into Certificate CRT section:
It should say the name of the certificate, CA, expiry and if it is a correct certificate.
Now copy the contents of /etc/letsencrypt/live/example.com/privkey.pem into Private key section.
Now you should be able to install certificate and it will install for your domain.
The certificate at the moment expires every 3 months so you will have to repeat the process. The domain owner gets an email every 3 months to let them know they need to renew.
With the automated method you can schedule to run automatically.
Automatic Installation of certificates
On the Linux server that your website runs on simple run:
certbot run -d example.com -d www.example.com
You can specify that it automatically redirects HTTP to HTTPS which is a very cool feature.
Output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for example.com
tls-sni-01 challenge for www.example.com
Waiting for verification…
Cleaning up challenges
Created an SSL vhost at /etc/httpd/conf.d/example.com-le-ssl.conf
Deploying Certificate forexample.com to VirtualHost /etc/httpd/conf.d/example.com.au-le-ssl.conf
Deploying Certificate for www.example.com to VirtualHost /etc/httpd/conf.d/example.com-le-ssl.conf
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
——————————————————————————-
1: No redirect – Make no further changes to the webserver configuration.
2: Redirect – Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you’re confident your site works on HTTPS. You can undo this
change by editing your web server’s configuration.
——————————————————————————-
Select the appropriate number [1-2] then [enter] (press ‘c’ to cancel): 1
——————————————————————————-
Congratulations! You have successfully enabled https://example.com and
https://www.example.com
You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=example.com
https://www.ssllabs.com/ssltest/analyze.html?d=www.example.com
——————————————————————————-
IMPORTANT NOTES:
– Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/example.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/example.com/privkey.pem
Your cert will expire on 2018-01-03. To obtain a new or tweaked
version of this certificate in the future, simply run certbot again
with the “certonly” option. To non-interactively renew *all* of
your certificates, run “certbot renew”
– If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
And that’s it – certificate installed automatically.
Automatic Renewal of certificates
This only works with Shell access per above as possible. In above case the cert expires in January and needs to be renewed every 3 months, so to automate, as root add a crontab:
crontab -e
0 0 1 1,4,7,10 * /usr/bin/certbot renew
Now you don’t need to do anything to have free secure certificates!
References
https://letsencrypt.org/2017/07/06/wildcard-certificates-coming-jan-2018.html