Let’s Encrypt is a free, automated and open certificate authority for anyone that wants to secure a website with SSL. I recently had to setup Let’s Encrypt for a client, and found that it was absurdly simple to use with their Certbot ACME client.
WARNING: This guide may become quickly outdated and is really just for my own reference. If you are looking to use Let’s Encrypt, please review the following articles from Let’s Encrypt for the latest installation and setup instructions:
https://letsencrypt.org/getting-started/
https://certbot.eff.org
For this guide, I am assuming the server is running Apache. So to get started, I simply following the instructions provided on https://certbot.eff.org to get Certbot installed:
# CentOS 6 # There is currently no packaged version of Certbot for CentOS 6. So you have to download the script manually by: [root@web01 ~]# cd /root [root@web01 ~]# wget https://dl.eff.org/certbot-auto [root@web01 ~]# chmod a+x certbot-auto # CentOS 7 [root@web01 ~]# yum install yum-utils [root@web01 ~]# yum-config-manager --enable rhui-REGION-rhel-server-extras rhui-REGION-rhel-server-optional [root@web01 ~]# yum install certbot-apache # Ubuntu 14.04 [root@web01 ~]# apt-get update [root@web01 ~]# apt-get install software-properties-common [root@web01 ~]# add-apt-repository ppa:certbot/certbot [root@web01 ~]# apt-get update [root@web01 ~]# apt-get install python-certbot-apache # Ubuntu 16.04 [root@web01 ~]# apt-get update [root@web01 ~]# apt-get install software-properties-common [root@web01 ~]# add-apt-repository ppa:certbot/certbot [root@web01 ~]# apt-get update [root@web01 ~]# apt-get install python-certbot-apache
The command below will install or update the certbot script, and also modify your Apache configs accordingly as it automatically configures the SSL certificate. When you run the tool, it will ask you for your email address, review their terms of service, and will ask you to select which URL’s you want to have the SSL certificate generated for. Always be sure to include both the www and non-www domains unless you don’t need one of them for some reason.
[root@web01 ~]# certbot --apache
One of the great things about Let’s Encrypt certificates, asides the fact its free, is that you can add a cron job to automatically renew the SSL certificate so it doesn’t expire. Let’s Encrypt recommends running it twice daily. It won’t do anything until your certificates are due for renewal or revoked. Setup the cron job by running:
# CentOS 6 [root@web01 ~]# crontab -e 0 12/24 * * * /root/certbot-auto renew # All other OS's: [root@web01 ~]# crontab -e 0 12/24 * * * certbot renew