Linode, Bash, Tutorials, Development

 

Setting up an SSL certificate enables HTTPS on the web server, which secures the traffic between the server and the clients connecting to it. Certbot is a free and automated way to set up SSL certificates on a server.

To use Certbot, you’ll need a registered domain name and two DNS records:

An A record from a domain (e.g., example.com) to the server’s IP address
An A record from a domain prefaced with www (e.g., www.example.com) to the server’s IP address
Additionally, if you’re using a virtual hosts file, you’ll need to make sure the server name directive in the VirtualHost block (e.g., ServerName example.com) is correctly set to the domain.

 

Installation

Install the Let's Encrypt command line utility: Certbot

sudo apt-get install certbot python-certbot-apache

 

Next run certbot:

sudo certbot

On first run it will ask "Enter email address (used for urgent renewal and security notices) (Enter 'c' to cancel)" enter your email address here to receive notifications for renwals.

Next you will see:

Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: A

If you wanrt to continue press A

Next another option is displayed:

Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o:

Press either Y or N

Next a list of domains will be displayed that are on your server. In my case:

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: daveissmynme.blog
2: www.daveismyname.blog
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):

I'll leave the input blany by pressing enter to select all domains.

Then certbot will start obtaining certificates for the domains.

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel):

Select 2 to redirect all http traffic to https (recommended)

This is now complete at this stage, the certbot displays:

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled https://daveismyname.blog and
https://www.daveismyname.blog

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=daveismyname.blog
https://www.ssllabs.com/ssltest/analyze.html?d=www.daveismyname.blog
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/dccasts.dev/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/daveismyname.blog/privkey.pem
   Your cert will expire on 2020-01-24. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot again
   with the "certonly" option. To non-interactively renew *all* of
   your certificates, run "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

 

Securing additional domains:

Once the DNS records and, optionally, the virtual hosts files are set up, you can generate the SSL certificate. Make sure to substitute the domain in the command.

sudo certbot --apache -d test.com -d www.test.com

 

Test automatic renewal

The Certbot packages on your system come with a cron job or systemd timer that will renew your certificates automatically before they expire. You will not need to run Certbot again, unless you change your configuration. You can test automatic renewal for your certificates by running this command:

sudo certbot renew --dry-run