Install Let's Encrypt to Create SSL Certificates

Let’s Encrypt is an SSL certificate authority managed by the Internet Security Research Group (ISRG). It utilizes the Automated Certificate Management Environment (ACME) to automatically deploy free SSL certificates that are trusted by nearly all major browsers.

Caution
For most situations, the recommended method for installing Let’s Encrypt certificates is the official Certbot tool. Certbot automates the process of obtaining and installing a certificate, and can also automatically update your web server configuration. The instructions in this guide install Let’s Encrypt and add certificates manually, which is not necessary for most users.
 

Installing a recent certbot version

For this to work, we need certbot 0.29.0 or later. Unfortunately a lot of distros ship too old versions. So we uninstall the package first (ignore any errors) and fetch the latest one.

Run the following as root:

Ubuntu

This is for Ubuntu 18.04 LTS. It should also work on other Ubuntu versions.

# Uninstall existing package first, just ignore any errors:
apt remove certbot
# Now update an install the latest certbot
apt-get update
apt-get install software-properties-common
add-apt-repository universe
add-apt-repository ppa:certbot/certbot
apt-get update
apt-get install certbot

Debian

apt-get remove certbot-auto
cd /root
wget https://dl.eff.org/certbot-auto
sudo mv certbot-auto /usr/local/bin/certbot-auto
sudo chown root /usr/local/bin/certbot-auto
sudo chmod 0755 /usr/local/bin/certbot-auto

Verifying certbot version

We need certbot 0.29.0 or newer, so double check:

# certbot --version
certbot 0.31.0

If this is below 0.29.0 then go back and read the previous instructions. Certbot below 0.29.0 will not work as it will screw up permissions!

Download and Install Let’s Encrypt

  1. Install the git package:

    CentOS

     
    sudo yum install git

    Debian / Ubuntu

     
    sudo apt-get install git

  2. Download a clone of Let’s Encrypt from the official GitHub repository. /opt is a common installation directory for third-party packages, so let’s install the clone to /opt/letsencrypt:

     
    sudo git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt

  3. Navigate to the new /opt/letsencrypt directory:

     
    cd /opt/letsencrypt

Acquire the certificate for the first time

Now you need to acquire a certificate for the first time: certbot certonly --standalone --preferred-challenges http-01 -d irc.example.org

Naturally, replace irc.example.org with the name of your server!

Here is example output of a successful session:

  1. When prompted, specify an administrative email address. This will allow you to regain control of a lost certificate and receive urgent security notices if necessary. Press ENTER or RETURN to save.

  2. Agree to the Terms of Service and specify if you would like to share your email address with EFF:

     
    
-------------------------------------------------------------------------------
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v01.api.letsencrypt.org/directory
-------------------------------------------------------------------------------
(A)gree/(C)ancel: a

-------------------------------------------------------------------------------
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about EFF and
our work to encrypt the web, protect its users and defend digital rights.
-------------------------------------------------------------------------------
(Y)es/(N)o: n

  3. If all goes well, a message similar to the one below will appear. Its appearance means Let’s Encrypt has approved and issued your certificates.

     
    
IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/example.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/example.com/privkey.pem
   Your cert will expire on 2018-05-27. To obtain a new or tweaked
   version of this certificate in the future, simply run
   letsencrypt-auto again. To non-interactively renew *all* of your
   certificates, run "letsencrypt-auto renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Check Certificate Domains

  1. The output of the Let’s Encrypt script shows where your certificate is stored; in this case, /etc/letsencrypt/live:

     
    sudo ls /etc/letsencrypt/live
     
    
example.com

  2. All of the domains you specified above will be covered under this single certificate. This can be verified as follows:

     
    ./certbot-auto certificates
     
    
Found the following certs:
  Certificate Name: example.com
    Domains: example.com www.example.com
    Expiry Date: 2018-05-27 20:49:02+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/example.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/example.com/privkey.pem

Maintenance

Renew SSL Certificates

  1. Return to the /opt/letsencrypt directory:

     
    cd /opt/letsencrypt

  2. Execute the command you used in Step 1 of the Create an SSL Certificate section, adding the --renew-by-default parameter:

     
    sudo -H ./letsencrypt-auto certonly --standalone --renew-by-default -d example.com -d www.example.com

  3. After a few moments, a confirmation similar to the one below should appear:

     
    
IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/example.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/example.com/privkey.pem
   Your cert will expire on 2018-05-27. To obtain a new or tweaked
   version of this certificate in the future, simply run
   letsencrypt-auto again. To non-interactively renew *all* of your
   certificates, run "letsencrypt-auto renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

    Let’s Encrypt has refreshed the lifespan of your certificates; in this example, March 31st, 2016 is the new expiration date.

Note
Let’s Encrypt certificates have a 90-day lifespan. According to Let’s Encrypt, this encourages automation and minimizes damage from key compromises. You can renew your certificates at any time during their lifespan.

Automatically Renew SSL Certificates (Optional)

You can also automate certificate renewal. This will prevent your certificates from expiring, and can be accomplished with cron.

  1. The output of the previous command shows how to non-interactively renew all of your certificates:

     
    ./letsencrypt-auto renew

  2. Set this task to run automatically once per month using a cron job:

     
    sudo crontab -e

    Add the following line to the end of the crontab file:

    1
     
    0 0 1 * * /opt/letsencrypt/letsencrypt-auto renew

Update Let’s Encrypt

  1. Return to the /opt/letsencrypt directory:

     
    cd /opt/letsencrypt

  2. Download any changes made to Let’s Encrypt since you last cloned or pulled the repository, effectively updating it:

     
    sudo git pull

Automatically Update Let’s Encrypt (Optional)

You can also use cron to keep the letsencrypt-auto client up to date.

 
sudo crontab -e
 
0 0 1 * * cd /opt/letsencrypt && git pull

Self signed certificate

In case you want the easy way out and avoid all the steps above, you can create self-signed certificate by typing:

 openssl req -x509 -new -newkey rsa:4096 -sha256 -days 1096 -nodes -out sisrv.pem -keyout sisrv.pem

You will need to provide some details which look like:

-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:New York
Locality Name (eg, city) []:New York City
Organization Name (eg, company) [Internet Widgits Pty Ltd]:SiSrv
Organizational Unit Name (eg, section) []:IRCd
Common Name (e.g. server FQDN or YOUR name) []:irc.sisrv.net
Email Address []:support@sisrv.net

This file will contain the generated cert and key, and you should move it from your current directory to tls directory

mv sisrv.pem tls/sisrv.pem

Than you should create 2 files, server.cert.pem and server.key.pem copy the certificate and the key from sisrv.pem into their own file.

Your listen block should look like:

/* Standard IRC SSL/TLS port 6697 */
listen {
        ip *;
        port 6697;
        options { tls; clientsonly; };
        tls-options {
                certificate "tls/server.cert.pem";
                key "tls/server.key.pem";
        };
};

 

  • SSL Certificates, certbot, Let's Encrypt
  • 177 Users Found This Useful
Was this answer helpful?

Related Articles

How to Set Up a Mac for Your Kids

Providing children with access to a computer and the internet is increasingly important, but so...

How to Get Help With a Command from the Linux Terminal

Whether you’re an inexperienced terminal user or a grizzled veteran, you won’t always know the...

How to change the ssh port on Linux

To Change the SSH Port for Linux Server Connect to your server via SSH Switch to the root...

How To Install screenFetch in Linux

If you've browsed Linux groups on social media, you've probably seen a lot of screenshots that...

Static IP vs. Dynamic IP Address

A static IP address is one that remains fixed and never changes. The PC always sees the same...

Powered by WHMCompleteSolution