- Part 1 LAMP
- Part 2 Users
- Part 3 Upgrade PHP to 7.3
- Part 4 Apache Enable Mod rewrite
- Part 5 Composer
- Part 6 Virtual Hosts
- Part 7 Let's Encrypt
- Part 8 MySQL
- Part 9 Remote MySQL over SSH
- Part 10 Laravel
Setting up an SSL certificate enables HTTPS on the web server, which secures the traffic between the server and the clients connecting to it. Certbot is a free and automated way to set up SSL certificates on a server.
To use Certbot, you’ll need a registered domain name and two DNS records:
An A record from a domain (e.g., example.com) to the server’s IP address
An A record from a domain prefaced with www (e.g., www.example.com) to the server’s IP address
Additionally, if you’re using a virtual hosts file, you’ll need to make sure the server name directive in the VirtualHost block (e.g., ServerName example.com) is correctly set to the domain.
Installation
Install the Let's Encrypt command line utility: Certbot
sudo apt-get install certbot python-certbot-apache
Next run certbot:
sudo certbot
On first run it will ask "Enter email address (used for urgent renewal and security notices) (Enter 'c' to cancel)" enter your email address here to receive notifications for renwals.
Next you will see:
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: A
If you wanrt to continue press A
Next another option is displayed:
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o:
Press either Y or N
Next a list of domains will be displayed that are on your server. In my case:
Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: daveissmynme.blog
2: www.dcblog.dev
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):
I'll leave the input blany by pressing enter to select all domains.
Then certbot will start obtaining certificates for the domains.
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel):
Select 2 to redirect all http traffic to https (recommended)
This is now complete at this stage, the certbot displays:
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled and
https://www.dcblog.dev
You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=dcblog.dev
https://www.ssllabs.com/ssltest/analyze.html?d=www.dcblog.dev
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/dccasts.dev/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/dcblog.dev/privkey.pem
Your cert will expire on 2020-01-24. To obtain a new or tweaked
version of this certificate in the future, simply run certbot again
with the "certonly" option. To non-interactively renew *all* of
your certificates, run "certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
Securing additional domains:
Once the DNS records and, optionally, the virtual hosts files are set up, you can generate the SSL certificate. Make sure to substitute the domain in the command.
sudo certbot --apache -d test.com -d www.test.com
Test automatic renewal
The Certbot packages on your system come with a cron job or systemd timer that will renew your certificates automatically before they expire. You will not need to run Certbot again, unless you change your configuration. You can test automatic renewal for your certificates by running this command:
sudo certbot renew --dry-run