Free SSL Certificates

To enable HTTPS on your website, you need to get a certificate from a Certificate Authority (CA). Let’s Encrypt is a CA...and free is always good!

C05348A3-9AB8-42C9-A6E0-81DB3AC59FEB
           

Let's Encrypt is a free, automated, and open certificate authority brought to you by the nonprofit Internet Security Research Group (ISRG).

In addition to the price, one of the attractive parts of this solution is that it doesn't really require you to prove ownership of the DNS Domain you want to obtain a certificate for. If there is already a DNS name resolving to that host, you can get an SSL Certificate for that Domain and hostname. This might actually be an issue for some Organizations if they require the use of their own CA.

Certbot is the easiest way to get started with Let’s Encrypt if you have ssh access to that host and root access. Follow the instructions on their website to get it installed on your particular OS. Make sure that your firewall/security group allows incoming traffic on port 80, and if you already have a host running on port 80, shut it down temporarily and run:

sudo certbot certonly --standalone

Cerbot will ask you for the DNS name associated with that host and will start a process listening on port 80. If their service can reach that process from the internet, your SSL certificate will be issued. It's really that easy!

☑ Quick tip, if you're using Cloudflare for DNS, make sure to turn OFF "Proxied" mode or Cerbot will fail to reach the host.

Once you have a certificate, you'll need to concatenate the certificate in a format that your web server will understand. In this example, we'll be using HAProxy as our server, replace <your.dns.name> with your DNS hostname:


sudo mkdir -p /etc/haproxy/ssl/

sudo cat /etc/letsencrypt/live/your.dns.name/fullchain.pem \
    /etc/letsencrypt/live/your.dns.name/privkey.pem \
    | sudo tee /etc/haproxy/ssl/cert.pem

Let’s Encrypt certificates are valid for 90 days, so you need to be ready to handle the renewal process.

To test this, you can run:

sudo certbot renew --dry-run

If the renewal is successful, you can add the following entry in your system's crontab file:

crontab -e

43 6 * * * sudo certbot renew --deploy-hook

The deploy-hook option allows Cerbot to execute a script, but only if the certificate renewal is successful. You can customize this script:

sudo nano /etc/letsencrypt/renewal-hooks/deploy/start.sh
#!/bin/sh
sudo cat /etc/letsencrypt/live/your.dns.name/fullchain.pem \
    /etc/letsencrypt/live/your.dns.name/privkey.pem \
    | sudo tee /etc/haproxy/ssl/cert.pem
sudo service haproxy restart
Posted Comments: 0

Tagged with:
encryption