Set up SSL Certificates in 5 Minutes Using Let’s Encrypt

Installing SSL certificates on your server can be a complex and time-consuming task. Let’s Encrypt simplifies this process and allows you to set up a free SSL certificate on your Web site in just a few minutes.

Install Let’s Encrypt

The Let’s Encrypt library is installed through git, which means that you will need to install git on your server first. If you don’t have it already, run the following command:

sudo apt-get updatesudo apt-get install git

After that, install Let’s Encrypt by cloning its repository:

sudo git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt

This will copy the repository in /opt/letsencrypt/ directory. Although it can be copied to any place in the filesystem, it is a good practice to store it in /opt folder, because that folder is usually used for third-party software in Ubuntu.

Install the SSL Certificate

To set up an SSL certificate, navigate to the directory where Let’s Encrypt is located and run the installer:

./letsencrypt-auto --apache -d mydomain.com

For multiple domains or subdomains, do the following:

./letsencrypt-auto --apache -d mydomain.com -d www.mydomain.com

And that’s it. Let’s Encrypt will guide you through the installation process, generate the SSL files and configure the Apache Web server.

Auto-renew the Certificates

Letsencrypt SSL certificates are valid for 3 months only (90 days). After that time, they will expire and will have to be renewed. Fortunately, there is also a command that solves that problem — it will check all certificates that are installed on the system and renew the ones that will expire in less than 30 days. The renew command is the following:

 /letsencrypt-auto renew

It is a good practice to configure a cron job and run the renewal command in specific time intervals. For example, to run the renewal command every Monday at 2 a.m., edit the cron tab:

sudo crontab -e

And add the following line:

0 2 * * 1 /opt/letsencrypt/letsencrypt-auto renew >> /var/log/le-renew.log

What’s Happening Under the Hood

Let’s Encrypt executes a number of commands without you even noticing. If you would be doing the entire process manually, here is how. First, activate the Apache SSL module and restart the server:

sudo a2enmod sslsudo service apache2 restart

Create a directory where you would store the SSL certificate files:

sudo mkdir /etc/apache2/ssl

Then, generate the key and the certificate with OpenSSL:

sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/mydomain.key -out /etc/apache2/ssl/mydomain.crt

After running this command, it will ask you a number of questions. Although most of them are self-explanatory, pay attention to the Common Name (e.g. server FQDN or YOUR name), where you would enter your domain name (e.g. mydomain.com) or the server’s IP address (if you don’t have a domain name).

After generating the files, you need to configure the Apache to use the SSL certificates. Create a new configuration file:

sudo nano /etc/apache2/sites-available/mydomain-ssl.conf

And paste this code:

            ServerAdmin [email protected]        ServerName mydomain.com        ServerAlias www.mydomain.com        # Path in the filesystem where the website is located        DocumentRoot /var/www/html        ErrorLog ${APACHE_LOG_DIR}/error.log        CustomLog ${APACHE_LOG_DIR}/access.log combined        SSLEngine on        # Location where certificate .key and .crt files are stored        SSLCertificateFile /etc/apache2/ssl/apache.crt        SSLCertificateKeyFile /etc/apache2/ssl/apache.key                                SSLOptions +StdEnvVars                                        SSLOptions +StdEnvVars                BrowserMatch "MSIE [2-6]"                         nokeepalive ssl-unclean-shutdown                         downgrade-1.0 force-response-1.0        BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown    

Activate the configuration and restart Apache:

sudo a2ensite mydomain-ssl.confsudo service apache2 restart

That’s it, you are ready to go.

Share the Post:
Share on facebook
Share on twitter
Share on linkedin

Related Posts