How to get free SSL certificate
How to get the free SSL certificate
Let’s Encrypt is a Certificate Authority (CA) that provides free certificates for Transport Layer Security (TLS) encryption, thereby enabling encrypted HTTPS on web servers. It simplifies the process of creation, validation, signing, installation, and renewal of certificates by providing a software client that automates most of the steps—Certbot.
Here we will use Certbot to set up a TLS/SSL certificate from Let’s Encrypt on a CentOS 7 server running Apache as a web server.
Pre Requirements
- A registered domain name with valid
Arecords to point back to your server’s public IP Address. - Apache server installed with SSL module enabled and Virtual Hosting enabled in case you’re hosting multiple domains or subdomains.
Step 1: Install Apache Web Server
1. If not already installed, httpd daemon can be installed by issuing the below command:
# yum install httpd
2. In order for Let’s encrypt software to work with Apache, assure that the SSL/TLS module is installed by issuing the command below:
# yum -y install mod_ssl
3. Finally, start the Apache server with the following command:
# systemctl start httpd.service [On RHEL/CentOS 7] # service httpd start [On RHEL/CentOS 6]
Step 2 — Installing the Certbot Let’s Encrypt Client
To use Let’s Encrypt to obtain an SSL certificate, you first need to install Certbot and mod_ssl, an Apache module that provides support for SSL v3 encryption.
The certbot the package is not available through the package manager by default. You will need to enable the EPEL repository to install Certbot.
To add the CentOS 7 EPEL repository, run the following command:
Now that you have access to the repository, install all of the required packages:
During the installation process, you will be asked about importing a GPG key. This key will verify the authenticity of the package you are installing. To allow the installation to finish, accept the GPG key by typing y and pressing ENTER when prompted to do so.
With these services installed, you’re now ready to run Certbot and fetch your certificates.
Step 3 — Obtaining a Certificate
Now that Certbot is installed, you can use it to request an SSL certificate for your domain.
Using the certbot Let’s Encrypt the client to generate the SSL Certificate for Apache automates many of the steps in the process. The client will automatically obtain and install a new SSL certificate that is valid for the domains you provide as parameters.
To execute the interactive installation and obtain a certificate that covers only a single domain, run the certbot command with:
This runs certbot with the --apache plugin and specifies the domain to configure the certificate for with the -d flag.
If you want to install a single certificate that is valid for multiple domains or subdomains, you can pass them as additional parameters to the command, tagging each new domain or subdomain with the -d flag. The first domain name in the list of parameters will be the base domain used by Let’s Encrypt to create the certificate. For this reason, pass the base domain name as first in the list, followed by any additional subdomains or aliases:
The base domain in this example is example.com.
The certbot the utility can also prompt you for domain information during the certificate request procedure. To use this functionality, call certbot without any domains:
The program will present you with a step-by-step guide to customize your certificate options. It will ask you to provide an email address for lost key recovery and notices, and then prompt you to agree to the terms of service. If you did not specify your domains on the command line, you will be prompted for that as well. If your Virtual Host files do not specify the domain they serve explicitly using the ServerName directive, you will be asked to choose the virtual host file. In most cases, the default ssl.conf file will work.
You will also be able to choose between enabling both http and https access or forcing all requests to redirect to https. For better security, it is recommended to choose the option 2: Redirect if you do not have any special need to allow unencrypted connections. Select your choice then hit ENTER.
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel):2
When the installation is successfully finished, you will see a message similar to this:
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/example.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/example.com/privkey.pem
Your cert will expire on 2019-08-14. To obtain a new or tweaked
version of this certificate in the future, simply run certbot again
with the "certonly" option. To non-interactively renew *all* of
your certificates, run "certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
The generated certificate files will be available within a subdirectory named after your base domain in the /etc/letsencrypt/live directory.
Now that your certificates are downloaded, installed, and loaded, you can check your SSL certificate status to make sure that everything is working.
Step 4 — Checking your Certificate Status
At this point, you can ensure that Certbot created your SSL certificate correctly by using the SSL Server Test from the cloud security company Qualys.
Open the following link in your preferred web browser, replacing example.com with your base domain:
https://www.ssllabs.com/ssltest/analyze.html?d=example.com