Let’s Encrypt is operated by a non-profit called Internet Security Research Group (ISRG). ISRG’s mission is to reduce financial, technological, and education barriers to secure communication over the Internet. It uses ACME to create the certificate for your environment which trusted all over the globe.
We learn how to Create a server and make website up and running in previous blog post, but creating server & website is not an enough in digital world. So, I am come up with blog post related to security of the website.
It’s time for encrypted communications to be the default on the Web and Let’s Encrypt is going to make it happen. You can read more about becoming partner of Let’s Encrypt here.
I am assuming here that, you have latest server software installed on your environment. If you haven’t, you can install it using the following command.
sudo apt update sudo apt upgrade
sudo yum update sudo yum upgrade
Download or clone a let’s encrypt repository. Here I am assuming that you have git installed.
sudo git clone https://github.com/letsencrypt/letsencrypt /letsencrypt cd /letsencrypt
If your server has anything which is running on 80 port then, you need to stop that server software ie. stop apache2 or httpd. Otherwise, let’s encrypt will give you an error message or unable to generate the certificate.
Create Certificate using letsencrypt command.
Let’s Encrypt automatically performs Domain Validation using a series of challenges. The CA uses challenges to verify the authenticity of your server’s domain.
Here is the syntax for letsencrypt-auto command.
letsencrypt-auto [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ...
You can also use multiple -d switch to specify the multiple domain, for which you want to generate the certificate. Here is command to generate the certificate. This command will generate the certificate for 6 months.
sudo -H ./letsencrypt-auto certonly --standalone -d www.yoursite.com -d yoursite.com
When you run the command it will ask you a series of question. Which include the administrative email address. Here administrative email address is very important in case you of any security notice or regain the certificate.
If all goes well then that process create a certificate for you.
You can renew same certificate by adding –renew-by-default switch in the command of create certificate. So, command to renew certificate is as following.
sudo -H ./letsencrypt-auto certonly --standalone --renew-by-default -d www.yoursite.com -d yoursite.com
You can also automate the certificate renewal using the Cron job, but for that, you need to have more knowledge about crontab.
Following is the command to renew the certificate non interactively.
Add above command into the crontab file as following.
0 0 1 * * /opt/letsencrypt/letsencrypt-auto renew
Here you find the Integration guide for Let’s encrypt that you need to consider. Let’s encrypt has some rate limitation. So, please read both of the document before using it for your production. Thank You.