About Let's Encrypt
To enable HTTPS on your website, you need to get a certificate (a type of file) from a Certificate Authority (CA).
Let’s Encrypt is a CA. In order to get a certificate for your website’s domain from Let’s Encrypt, you have to demonstrate control over the domain. With Let’s Encrypt, you do this using software that uses the ACME protocol, which typically runs on your web host.
Certbot is an easy-to-use automatic client that fetches and deploys SSL/TLS certificates for your web server. Certbot was developed by EFF and others as a client for Let’s Encrypt and was previously known as “the official Let’s Encrypt client” or “the Let’s Encrypt Python client.” Certbot will also work with any other CAs that support the ACME protocol.
First thing, we install certbot client by typing
apt install -y certbot.
He is necessary to order our futur SSL certificates.
Order SSL certificates
They several way to get a SSL certificate.
The advantage of standalone mod it is no dependant of webserver type or if applications still already running on the server.
You must close webserver or applications they use PORT 80 (for –preferred-challenge http) or PORT 443 (for –preferred-challenge tls-sni). Check with
netstat if the port is free or busy.
If nginx is already installed you can type
systemctl stop nginx.service before to order your certificate and relaunch it after the order or you can use prehook & posthook arguments like as
certbot renew --pre-hook "service nginx stop" --post-hook "service nginx start".
By port 443
sudo certbot certonly --standalone --rsa-key-size 4096 --preferred-challenge tls-sni -d your.hostname.com
In case where you have this return
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. it is because you have an older version of certbot installed just upgrade it on the last version to works fine.
By port 80
sudo certbot certonly --standalone --rsa-key-size 4096 --preferred-challenge http -d your.domain.com
When you have ordered your certificates they're stored under
/etc/letsencrypt/live/your.domain.com/ as you can see beneath.
ls -l /etc/letsencrypt/live/your.domain.com total 4 lrwxrwxrwx 1 root root 42 Sep 12 00:32 cert.pem -> ../../archive/your.domain.com/cert1.pem lrwxrwxrwx 1 root root 43 Sep 12 00:32 chain.pem -> ../../archive/your.domain.com/chain1.pem lrwxrwxrwx 1 root root 47 Sep 12 00:32 fullchain.pem -> ../../archive/your.domain.com/fullchain1.pem lrwxrwxrwx 1 root root 45 Sep 12 00:32 privkey.pem -> ../../archive/your.domain.com/privkey1.pem -rw-r--r-- 1 root root 543 Sep 12 00:32 README
Now you can use your certificates everywhere where you need to have encryption layer with SSL ! In more let's encrypt is totally open-source and cost-free.