Easily Obtaining SSL/TLS Certificates using Let’sEncrypt

    Getting a Valid SSL/TLS Certificate with Let’s Encrypt

    To issue a valid SSL/TLS certificate, Let’s Encrypt, a Certificate Authority (CA), must verify that you control the domain you want the certificate for. This is done through a validation process using a client that communicates with Let’s Encrypt. We’ll use Certbot for this purpose.

    Understanding Domain Validation

    Before we install and use Certbot, let’s understand the domain validation process. Let’s Encrypt uses “challenges” to validate a domain, the most common being HTTP-01 and DNS-01.

    In an HTTP-01 challenge, Let’s Encrypt creates a token and sends it to the client. The client then creates a file on your website at a specific path:

    http://<YOUR-DOMAIN>/.well-known/acme-challenge/<TOKEN>

    Let’s Encrypt verifies the file’s existence and validity. If successful, the certificate is issued. This challenge requires your website to be accessible on port 80.

    In a DNS-01 challenge, Let’s Encrypt verifies control over DNS entries. The CA issues a token to the client, which then creates a TXT record at:

    _acme-challenge.<YOUR-DOMAIN>

    Let’s Encrypt queries the DNS for that record, and if found, the certificate is issued.

    In this guide, we’ll focus on the HTTP-01 challenge.

    Installing Certbot

    Certbot is a free, open-source ACME client created by the Electronic Frontier Foundation. It communicates with Let’s Encrypt to obtain SSL/TLS certificates and secure your website. Certbot is written in Python and is available in many Linux distributions’ repositories.

    To install Certbot on Debian-based systems:

    $ sudo apt install certbot

    For Fedora:

    $ sudo dnf install certbot

    On Red Hat Enterprise Linux and its clones (e.g., Rocky Linux), Certbot isn’t officially available, but you can install it after adding the EPEL repository:

    $ sudo dnf install certbot

    Alternatively, you can install Certbot using pip, the Python package manager:

    $ pip install certbot

    Note: Avoid running pip as root. Install the package as an unprivileged user.

    Obtaining a Let’s Encrypt Certificate

    To obtain a certificate using Certbot, use the certonly subcommand:

    $ sudo certbot certonly

    Certbot will ask how you want to authenticate with the CA. You can either spin up a temporary web server or place files in an existing webroot directory. Choose the appropriate option based on whether you already have a web server running. For simplicity, we’ll use the temporary web server option.

    Certbot will also ask for your email address for renewal and security notices, and you need to accept Let’s Encrypt’s Terms of Service.

    Enter the domain you want the certificate for:

    Please enter the domain name(s) you would like on your certificate: mydomain.com

    Certbot will then obtain the certificate and save it at:

    /etc/letsencrypt/live/mydomain.com/fullchain.pem
/etc/letsencrypt/live/mydomain.com/privkey.pem

    Certbot will also set up a scheduled task to automatically renew the certificate.

    Automating Web Server Configuration

    To use the certificate, your web server needs to know its location. Certbot can automatically create configurations for Apache and Nginx using dedicated plugins. To install these plugins on Debian-based systems:

    $ sudo apt install python3-certbot-apache python3-certbot-nginx

    On Fedora-based systems:

    $ sudo dnf install python3-certbot-apache python3-certbot-nginx

    To retrieve a certificate and automatically create an Apache configuration, use:

    $ sudo certbot --apache

    The Apache configuration is stored at /etc/apache2/sites-available/000-default-le-ssl.conf and includes directives like:

    ServerName mydomain.com
SSLCertificateFile /etc/letsencrypt/live/mydomain.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/mydomain.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf

    Running Certbot Non-Interactively

    Sometimes, user interaction isn’t possible. In such cases, run Certbot non-interactively:

    $ sudo certbot certonly --non-interactive --standalone --email mymail@provider.com --agree-tos --no-eff-email --domains mydomain.com

    To let Certbot create an Apache configuration non-interactively, add the --installer option:

    $ sudo certbot --non-interactive --standalone --email mymail@provider.com --agree-tos --no-eff-email --domains mydomain.com --installer apache

    Managing Certificates

    To display information about your certificates:

    $ sudo certbot certificates

    To renew a certificate immediately:

    $ sudo certbot renew

    To revoke a certificate:

    $ sudo certbot revoke --cert-name mydomain.com

    To delete a certificate:

    $ sudo certbot delete --cert-name mydomain.com

    Managing the ACME Account

    To display information about your ACME account:

    $ sudo certbot show_account

    To unregister an account:

    $ sudo certbot unregister

    To register a new account:

    $ sudo certbot register --email mymail@provider.com --agree-tos --no-eff-email

    Note: Registering an account explicitly is usually unnecessary as it’s created the first time you use Certbot.

    Conclusion

    Ensuring secure, encrypted communication with your website is crucial. Let’s Encrypt provides free SSL/TLS certificates after verifying domain control. Using Certbot, an ACME client, you can easily obtain and manage these certificates. This guide covered installing Certbot, obtaining and managing certificates, and automating web server configuration.

    Related Tags

    You May Also Like