Setup Let’s Encrypt for your VPS

Let’s Encrypt is a free and open certificate authority (CA) provided by Internet Security Research Group (ISRG). The main purpose of this organization is to offer free digital certificates in order to enable HTTPS on your website. They fight for a more secure and privacy-respecting Web, and this is one of the reasons they offer certificates for free.

I heard about Let’s Encrypt a few years ago when I was searching for some cheap SSL certificates. I was amazed by the fact they literally provide free certificates and how user-friendly is the entire process. I tried, and since then I’m a big fan of them. Kernel-panic.me uses Let’s Encrypt certificates (thanks :d) and I decided to write this post to show you how simple is to setup it for your website.

Why use TLS/SSL for your website

In a few words, TLS/SSL is about encrypting client-server communication or server to server communication. This keeps your data safe and ensures privacy on the network. Secure Socket Layer (SSL) is a cryptographic protocol (first of its kind) that provides communications security over a computer network. Now SSL was deprecated by IETF and the place was taken by the new and improved version, called Transport Layer Security (TLS).

Obviously, the first reason for using TLS/SSL in form of HTTPS for your website is keeping communication safe and secure. HTTPS protect the integrity of your website.

HTTPS protects the privacy and security of your users. There is a false assumption that only sites that work with sensitive data need HTTPS. Each unsecure HTTP request can reveal information about the behavior and identities of users.

Also, a secondary aspect of using HTTPS is that Google takes it into consideration when ranks your page.

Setup

As I said before, the setup is very simple and user-friendly. Next, I will show you how to obtain and set up Let’s Encrypt certificates on different Linux environments and for different web servers. To obtain and deploy SSL certificates we will use Certbot.

Note: In order to follow this tutorial and use digital certificates you will need a DNS A record that points to your Virtual Private Server (VPS).

Prerequisites:

Make sure you have correctly installed and configured a web server that works for HTTP requests.

Open ports 80 and 443.

Make sure that firewall permits HTTP / HTTPS connections to your server.

If you are using firewall-cmd:

$ sudo firewall-cmd --add-service=http
$ sudo firewall-cmd --add-service=https
$ sudo firewall-cmd --runtime-to-permanent

If you are using iptables:

$ sudo iptables -I INPUT -p tcp -m tcp --dport 80 -j ACCEPT
$ sudo iptables -I INPUT -p tcp -m tcp --dport 443 -j ACCEPT

If you are using ufw:

$ sudo ufw allow http
$ sudo ufw allow http

Let’s Encrypt on Ubuntu

The first step is to install Certbot for Ubuntu:

$ sudo add-apt-repository ppa:certbot/certbot

You need to press Enter to accept and after that need to update the package list by doing:

$ sudo apt-get update

Next steps are specific to the web server you use, so follow the instructions corresponding to your needs.

apache2:

$ sudo apt-get install python-certbot-apache

The Let’s Encrypt Certbot client is installed and ready to be used. To perform a request for digital certificates if enough to do:

$ sudo certbot --apache -d domain_name.com -d www.domain_name.com
Note: Replace domain_name.com with your DNS A record.

After you followed the instructions of the interactive client, your certificates will be deployed and are ready to use.

nginx:

$ sudo apt install python-certbot-nginx

Certbot needs to be able to find the correct server block in your Nginx configuration for it to be able to automatically configure SSL. Specifically, it does this by looking for a server_name directive that matches the domain you request a certificate for. Make sure that server_name is correctly set up in nginx config file:

$ sudo vi /etc/nginx/sites-available/domain_name.com

...
server {
  ...
  server_name domain_name.com www.domain_name.com;
  ...
}
...

If everything is ok, all you need to do is to perform a certificate request using:

$ sudo certbot --nginx -d domain_name.com -d www.domain_name.com
Note: Replace domain_name.com with your DNS A record.

After you followed the instructions of the interactive client, your certificates will be deployed and are ready to use.

Let’s Encrypt on CentOS 7.x

On CentOS, as for Ubuntu, first of all, we need to install certbot. The best way to install this is through the EPEL repository. To enable access to the EPEL repository on your server type:

$ sudo yum install epel-release

After the installation is done, instructions are web server specific:

apache:

Install certbot client:

$ sudo yum install python-certbot-apache

To request and deploy certificate, use:

$ sudo certbot --apache -d domain_name.com -d www.domain_name.com

nginx:

Install certbot client:

$ sudo yum install certbot-nginx

Make sure that server_name is correctly set up in nginx config file [check ubuntu section for more details] and perform cert request:

$ sudo certbot --nginx -d domain_name.com -d www.domain_name.com

Bonus: Auto-renew certificates

Let’s Encrypt certificates need to be renewed every 30 days. If you provided a correct email address when you requested certificates they will send you an email with 10 days before the expiration date of the certificate, but I think is easier to set up an auto-renew mechanism. This is easy to perform in Linux environments because we will take advantage of crontab. We will create a crontab entry to renew the certificates:

$ sudo crontab -e 
.... # will default text editor to enter a new cron ...
30 4 * * * /usr/bin/certbot renew >> /var/log/renew.log

save end exit

This cron will run each day at 4:30 AM and will try to renew the certificates. Output will be redirected to /var/log/renew.log to make possible checking if something went wrong.

1 Star2 Stars3 Stars4 Stars5 Stars (4 votes, average: 5.00 out of 5)
Loading...