What is Let’s encrypt?
Let’s encrypt is a Certificate Authority (CA) which provides an easy way of installing free SSL / TLS certificates on the web servers.
In this article, We will see how to obtain let’s encrypt free SSL certificate and use it with Nginx on Ubuntu.
The objective of Let’s Encrypt and the ACME protocol is to make it possible to set up an HTTPS server and have it automatically obtain a browser-trusted certificate, without any human intervention.
Use of Let’s encrypt?
Let’s encrypt enables Https for your domain and make the website to serve securely.
- A running Ubuntu instance with a domain configured in it and pointing to the server’s IP address.
- sudo access to the Instance.
Download and Install Lets’encrypt:
First we need to install Certbot packages in the server to install the free certificate provided by Let’s encrypt.
On Ubuntu systems, Certbot team maintains the PPA and you should add it to the lists of repositories.
Add the repository,
sudo apt-get install software-properties-common
sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update
sudo apt-get install python-certbot-nginx
Certbox has an Nginx plugin , which is available on most of the linux platforms which automates the process of obtaining and installing new certificates.
Run the below command to obtain the new certificate and certbot will automatically update the nginx configurations with the certificates in the nginx configuration file.
sudo certbot --nginx -d example.com
Provide the email address , So that you will be notified by Certbot when SSL certificate is about to expire.
If you want to make changes manually , you can use the below command and new certificates will be obtainted and stored under certbot root directory.
sudo certbot --nginx certonly
Checking Nginx configuration:
Certbot should be able to find the server block in the nginx configuration So that it will apply the SSL certificate for the domain.
It looks for the server_name directive which matches with the domain for which you want to obtain and install certificate.
if you have followed this , how to setup nginx server block for a domain, you should have a server block with the domain name mentioned in server_name directive in the nginx configuration file.
To check , Open the nginx configuraiton file, If you have followed the above article, then it should be wordpress.conf
You should see the following lines added by certbot itself,
ssl_certificate /etc/letsencrypt/live/fitdevops.in/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/fitdevops.in/privkey.pem; # managed by Certbot
If you find the above configuration in your nginx file, Then verify the nginx using below command,
sudo nginx -t
If you get any error, re-open the nginx configuration files, Fix the errors reported by nginx and then restart the nginx server.
sudo systemctl restart nginx
Verifying SSL certificates:
We have installed and configured Let’s encrypt SSL certificate in the server of the nginx configuration.
To check the status of the certificate such as expiry date , There are many SSL checker tools which will provide us an information above the certicates.
It show the number of days the certificate is valid for, who’s the CA.
Auto-renewal of SSL certificate:
Let’s encrypt issues certificates for 90 days ,You can manually obtain and install the certificates when you get a mail from Let’s encrypt team for the email id which you have registered with, while obtaining certificate for the first time for a domain.
But there is a way where we can automate it by running a cron job which will take care of downloading and installing new certificates.
The certbot package comes with cron job or a systemd timer that will check and renew the certificates automatically before they expire.
you can test the same by running the below command,
sudo certbot renew --dry-run
The command to renew certbot will sit mostly in the below locations,
Now you know How to install and configure Let’s encrypt free SSL certificates on Ubuntu to secure your websites.
Hope you find this article helpful.
Please do Check the other articles.