Published on

How to Secure Your Website with Free SSL Certificates for a Lifetime

Authors

tailwind-nextjs-banner

Introduction

Let’s Encrypt certificates have revolutionized internet security by providing free, automated, and widely trusted SSL/TLS certificates. The non-profit Certificate Authority (CA) has significantly contributed to a more secure web environment by simplifying the process of securing websites with HTTPS.

Let’s Encrypt certificates are typically valid for a period of 90 days. This short validity period is intentional and serves a specific purpose: it encourages automated renewal processes and promotes frequent updates to maintain robust security standards.

Certificates are normally generated through an automated API. The most popular Let’s Encrypt client is Certbot which provide access to the Let’s Encrypt service through an automated API. Certbot simplifies the process of obtaining, managing, and deploying these certificates on various web servers. It offers a user-friendly interface and supports multiple operating systems, making it accessible to a broad spectrum of users. The robust automation capabilities of Certbot enable website owners to easily request, install, and periodically renew certificates, ensuring their websites maintain secure and encrypted connections. Additionally, Certbot's integration with various web servers and its capacity to handle intricate configuration details further solidifies its status as the go-to choice for many individuals and organizations seeking to implement Let’s Encrypt certificates seamlessly and efficiently.

Apache

  1. Install Certbot: First, ensure Certbot is installed on your system. The exact command might vary depending on your operating system. For instance, on Ubuntu, you can use:

    sudo apt-get update 
sudo apt-get install certbot python3-certbot-apache

    Adjust the commands according to your system's package manager.

  2. Allow Certbot Through the Firewall (if necessary): Ensure that your firewall settings allow traffic on ports 80 (HTTP) and 443 (HTTPS) to validate the domain ownership.

  3. Run Certbot: Use the command to generate the SSL certificate. Replace example.com with your domain:

    sudo certbot --apache -d example.com -d www.example.com

    The --apache flag specifies that you're using Apache, and -d indicates the domain name for the certificate. Add more -d flags for additional domain names or subdomains.

  4. Interactive Prompt: Certbot will prompt you for some information and provide options for configuration. It will ask for an email address for renewal reminders and terms of service agreement.

  5. Select the Configuration: Certbot will then display a list of virtual hosts that it detected in your Apache configuration. It will ask you to choose which hosts you want to secure with SSL/TLS. Select the appropriate numbers corresponding to the virtual hosts you want to secure and press Enter.

  6. Verification and Installation: Certbot will then communicate with the Let’s Encrypt server to verify the domain ownership. If successful, it will automatically edit your Apache configuration to enable the SSL certificate. Once done, it will also configure the HTTPS settings.

  7. Test and Verify: Check your website by accessing it via HTTPS to ensure the certificate installation was successful. You can do this by entering your domain with https:// in your web browser (e.g., https://example.com).

  8. Automate Certificate Renewal: Certbot will set up an automatic renewal job. To test the renewal process, you can use:

    sudo certbot renew --dry-run

    Ensure to adjust these instructions according to your specific server setup, operating system, and configurations.

Remember, these instructions are general guidelines. Ensure to adapt the commands and flags as necessary based on your specific server setup and operating system.

Nginx

  1. Install Certbot: Make sure Certbot is installed on your system. The process may differ based on your operating system. For instance, on Ubuntu, you might use:

    sudo apt-get update 
sudo apt-get install certbot python3-certbot-nginx

    Adjust the commands according to your system's package manager.

  2. Allow Traffic Through the Firewall: Ensure your firewall settings allow traffic on ports 80 (HTTP) and 443 (HTTPS) for the domain validation process.

  3. Run Certbot: Use the following command to generate the SSL certificate. Replace example.com with your domain:

    sudo certbot --nginx -d example.com -d www.example.com

    The --nginx flag indicates that you are using Nginx as your web server, and -d specifies the domain name for the certificate. Add more -d flags for additional domain names or subdomains.

  4. Interactive Prompt: Certbot will prompt you for information and provide options for configuration. It will ask for an email address for renewal reminders and terms of service agreement.

  5. Select the Configuration: Certbot will detect the Nginx server blocks for your domains and present them to you. You'll be prompted to choose which domains you want to secure with SSL/TLS. Select the appropriate numbers corresponding to the server blocks you wish to secure and press Enter.

  6. Verification and Installation: Certbot will communicate with the Let’s Encrypt server to verify domain ownership. If successful, it will automatically edit your Nginx configuration to enable the SSL certificate and configure the HTTPS settings.

  7. Test and Verify: Check your website by accessing it via HTTPS to ensure the certificate installation was successful. Use your domain with https:// in your web browser (e.g., https://example.com).

  8. Automate Certificate Renewal: Certbot will set up an automatic renewal job. To test the renewal process, you can use:

    sudo certbot renew --dry-run

    Ensure to adjust these instructions according to your specific server setup, operating system, and configurations.

For complex web applications, Webroot mode can be used

If none of Apache or Nginx plugin works for your infrastructure, here's how to configure Certbot in webroot mode:

  1. Install Certbot: Ensure Certbot is installed on your system. For example, on Ubuntu:

    sudo apt-get update 
sudo apt-get install certbot

  2. Run Certbot in Webroot Mode: Use the following command to run Certbot in webroot mode:

    sudo certbot certonly --webroot -w /path/to/your/webroot/directory -d yourdomain.com -d www.yourdomain.com
    • --webroot: Specifies the webroot plugin for authentication.
    • -w /path/to/your/webroot/directory: Indicates the root directory of your web server where Certbot will place the validation files.
    • -d yourdomain.com -d www.yourdomain.com: Specifies the domain names for which you want to generate certificates. You can add more -d flags for additional domains or subdomains.

  3. Respond to Prompts: Certbot will prompt you for an email address and terms of service agreement.

  4. Place Challenge Files in Webroot Directory: Certbot will generate a specific file or files that need to be placed in the .well-known/acme-challenge directory within your webroot directory. Certbot will handle this for you if you've correctly provided the webroot path.

  5. Validation and Certificate Generation: Certbot will use these files to validate your control over the domain. If successful, it will generate SSL/TLS certificates for the specified domains.

  6. Certificate Locations: Once the certificates are generated, Certbot will typically place them in the /etc/letsencrypt/live/yourdomain.com directory or a similar location on your system.

Remember to replace /path/to/your/webroot/directory with the actual path to your web server's root directory where you'll store the validation files.

The webroot method is particularly useful in scenarios where you cannot or prefer not to temporarily modify your web server configuration, as it only requires access to the web server's file system.

Check auto-regeneration is enabled

After check that --dry-run regeneration works, need to ensure - there is a timer installed, by systemctl list-timers command:

systemctl list-timers
NEXT                        LEFT           LAST                        PASSED       UNIT                         ACTIVATES
Fri 2023-10-27 17:09:00 UTC 17min left     Fri 2023-10-27 16:39:02 UTC 12min ago    phpsessionclean.timer        phpsessionclean.service
Fri 2023-10-27 19:35:21 UTC 2h 43min left  Fri 2023-10-27 10:26:51 UTC 6h ago       apt-daily.timer              apt-daily.service
Fri 2023-10-27 20:14:00 UTC 3h 22min left  n/a                         n/a          snap.certbot.renew.timer     snap.certbot.renew.service
Fri 2023-10-27 20:14:38 UTC 3h 23min left  Fri 2023-10-27 14:00:06 UTC 2h 51min ago ua-timer.timer               ua-timer.service
Fri 2023-10-27 21:00:05 UTC 4h 8min left   Fri 2023-10-27 12:22:57 UTC 4h 28min ago fwupd-refresh.timer          fwupd-refresh.service
Sat 2023-10-28 00:00:00 UTC 7h left        Fri 2023-10-27 00:00:06 UTC 16h ago      logrotate.timer              logrotate.service

After some time also can check logs:

journalctl -u snap.certbot.renew.timer
Discuss on Twitter