If you have your own dedicated or virtual server you most likely have an administrative access which is awesome & dangerous all at the same time.
We’ll use a service called Let’s Encrypt to generate the SSL certificate for a selected domain.
There are several things to keep in mind.
- The Let’s Encrypt certificates are free
- Let’s Encrypt certificates expire in 90 days
- You will get a notification when the certificate is due for renewal (the email is supplied when you request the SSL request).
- It’s good to use –dry-run initially because if there are too many errors Let’s Encrypt will block you (temporarily) and you won’t be able to request an SSL certificate for several days (or about week)
- You need to have root access
- You can’t have a wildcard SSL certificate e.g. *.example.com
- Your server must allow access to a example.com/.well-known/ folder
Test if your webserver allows access to .well-known
Let’s Encrypt needs to verify that you really have access to the domain so it does some checks. To successfully complete those checks it needs to create some temporary files in a folder called .well-known which resides in your site’s document root folder.
To test if the folder is accessible after you create it then create a text file in it and then try to access it from the browser.
echo 123 > .well-known/test.txt
Visit your website from the browser by entering this address.
If you see 123 file that means that the folder is accessible and you can proceed. Without this step the Let’s Encrypt verifications will fail.
To proceed you need to login as root or switch to root
Download (clone) Let’s Encrypt tools from github.
It will be a lot easier later on to update it by running git pull while in /opt/letsencrypt folder.
# Credit: https://www.linode.com/docs/security/ssl/install-lets-encrypt-to-create-ssl-certificates
git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt
chmod 0755 /opt/letsencrypt/certbot-auto
Request the SSL certificate
Before you go ahead you need to do some thinking. I know it’s hard but still 🙂
Let’s Encrypt allows you to use one SSL certificate for multiple domains and subdomains I advise you against that.
Be specific which (sub)domains you need the SSL certificate for. I highly recommend that you only request for one domain only per certificate. Do make sure you also include the www subdomina e.g. example.com and www.example.com
The issue with having one SSL certificate server multiple domains or subdomains is that if one of the them is not accessible the whole SSL certificate renewal process will fail. For example you’ve requested the certificate to be issued for example.com & example.net (+ their www prefixes) and you have moved the example.net to another server to use it for something else e.g. staging server Let’s Encrypt won’t be able to verify it because it needs to access files on the same server.
To recap use one SSL certificate per domain.
Before you run the following command as root make sure that the document root folder exists /var/www/vhosts/example.com/www/ & you’ve replaced example.com with your own domain.
/opt/letsencrypt/certbot-auto certonly –webroot –webroot-path /var/www/vhosts/example.com/www/ –no-eff-email –noninteractive –verbose –rsa-key-size 4096 –email email@example.com –verbose –text –agree-tos -d example.com -d www.example.com 2>&1 | tee -a ssl.log
It will take about a minute and if all goes well you should have these files.
The next step is to install the SSL certificate on your server.
As mentioned earlier the SSL certificate will expire within 90 days.
To set up the renewal check the article called How to Automatically Renew an SSL Certificate Issued by Let’s Encrypt