How to generate a free Let's Encrypt SSL certificate

Topic created · 1 Posts · 8 Views
  • Install let's encrypt certbot

    info

    Let's Encrypt provides free SSL certificates which last 3 months since the time of its generation.

    In our example we will be using Centos 7

    Firts, we need to install the epel-release repo

    yum -y install epel-release 
    

    Then, install the following packages:

    yum -y install yum-utils certbot 
    

    Certbot will be the binary that we will be using for the certificate generation.

    There are a few ways to go on from now. The most common way is to install certbot on the server itself and let it automatically update our config files for apache or nginx. Nevertheless, even that it might take a few more minutes, we strongly recommend to generate the SSL certificate by creating a TXT DNS record.

    The reason for this is quite simple. We can generate our certificate anywhere and then copy the files to our corresponding server and ensure that our configuration is not automatically updated.

    Generate the certifciate

    certbot  -d **mydomain.com** --manual --preferred-challenges dns certonly
    

    This will generate the following output

    [root@myserver]#  certbot  -d  mydomain.com --manual --preferred-challenges dns certonly
    Saving debug log to /var/log/letsencrypt/letsencrypt.log
    Plugins selected: Authenticator manual, Installer None
    Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
    Obtaining a new certificate
    Performing the following challenges:
    dns-01 challenge for  mydomain.com
    
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    NOTE: The IP of this machine will be publicly logged as having requested this
    certificate. If you're running certbot in manual mode on a machine that is not
    your server, please ensure you're okay with that.
    
    Are you OK with your IP being logged?
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    (Y)es/(N)o: y
    
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Please deploy a DNS TXT record under the name
    _acme-challenge.mydomain.com with the following value:
    
    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    
    Before continuing, verify the record is deployed.
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Press Enter to Continue
    

    Now, what we need to to is generate the requested TXT record with the corresponding value. We recommend set the TTL of 1 min for our new record.
    Once done, wait 1/2 minutes and press enter

    This will generate the necessary files under /etc/letsencrypt/archive/mydomain.com

    [root@myserver]# ls -la /etc/letsencrypt/archive/mydomain.com/
    total 20
    drwxr-xr-x.  2 root root   79 Jan 13 21:40 .
    drwx------. 11 root root 4096 Jan 13 21:40 ..
    -rw-r--r--.  1 root root 1915 Jan 13 21:40 cert1.pem
    -rw-r--r--.  1 root root 1647 Jan 13 21:40 chain1.pem
    -rw-r--r--.  1 root root 3562 Jan 13 21:40 fullchain1.pem
    -rw-------.  1 root root 1704 Jan 13 21:40 privkey1.pem
    

    You can copy then the fullchain1.pem and privkey1.pem to your corresponding web server
    In the example of an nginx server, the config file will look similar to:

        listen 443 ssl;
        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
        ssl_certificate /etc/nginx/certs/fullchain1.pem;
        ssl_certificate_key /etc/nginx/certs/privkey1.pem;
        ssl_verify_client off;
        ssl_session_timeout 5m;
        ssl_protocols TLSv1.2;
        ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;;
        ssl_prefer_server_ciphers on;
    

    Finally, in your DNS provider, to not forget to create a CAA record.
    A Certification Authority Authorization (CAA) record is used to specify which certificate authorities (CAs) are allowed to issue certificates for a domain. The purpose of the CAA record is to allow domain owners to declare which certificate authorities are allowed to issue a certificate for a domain

    It should contain a record as in:

    128 issue "mydomain.com"
    
Log in to reply