Let’s Encrypt is a free, automated and open certificate authority for anyone that wants to secure a website with SSL. I recently had to setup Let’s Encrypt for a client, and found that it was absurdly simple to use with their Certbot ACME client.
WARNING: This guide may become quickly outdated and is really just for my own reference. If you are looking to use Let’s Encrypt, please review the following articles from Let’s Encrypt for the latest installation and setup instructions:
https://letsencrypt.org/getting-started/
https://certbot.eff.org
For this guide, I am assuming the server is running Apache. So to get started, I simply following the instructions provided on https://certbot.eff.org to get Certbot installed:
# CentOS 6 # There is currently no packaged version of Certbot for CentOS 6. So you have to download the script manually by: [[email protected] ~]# cd /root [[email protected] ~]# wget https://dl.eff.org/certbot-auto [[email protected] ~]# chmod a+x certbot-auto # CentOS 7 [[email protected] ~]# yum install yum-utils [[email protected] ~]# yum-config-manager --enable rhui-REGION-rhel-server-extras rhui-REGION-rhel-server-optional [[email protected] ~]# yum install certbot-apache # Ubuntu 14.04 [[email protected] ~]# apt-get update [[email protected] ~]# apt-get install software-properties-common [[email protected] ~]# add-apt-repository ppa:certbot/certbot [[email protected] ~]# apt-get update [[email protected] ~]# apt-get install python-certbot-apache # Ubuntu 16.04 [[email protected] ~]# apt-get update [[email protected] ~]# apt-get install software-properties-common [[email protected] ~]# add-apt-repository ppa:certbot/certbot [[email protected] ~]# apt-get update [[email protected] ~]# apt-get install python-certbot-apache
The command below will install or update the certbot script, and also modify your Apache configs accordingly as it automatically configures the SSL certificate. When you run the tool, it will ask you for your email address, review their terms of service, and will ask you to select which URL’s you want to have the SSL certificate generated for. Always be sure to include both the www and non-www domains unless you don’t need one of them for some reason.
[[email protected] ~]# certbot --apache
One of the great things about Let’s Encrypt certificates, asides the fact its free, is that you can add a cron job to automatically renew the SSL certificate so it doesn’t expire. Let’s Encrypt recommends running it twice daily. It won’t do anything until your certificates are due for renewal or revoked. Setup the cron job by running:
# CentOS 6 [[email protected] ~]# crontab -e 0 12/24 * * * /root/certbot-auto renew # All other OS's: [[email protected] ~]# crontab -e 0 12/24 * * * certbot renew