Lets Encrypt free ssl.

Started by Eyecu, November 26, 2017, 04:01:43 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Eyecu

Lets encrypt is a great resource for sites like this and others to use ssl and not have to pay out the wazoo. I recently tested this on my server with debian wheezy and virtualmin control panel. Steps to set it up were very easy and it uses cron to auto renew the cert once a month. I'll post the instructions below. They should work on just about any linux distro but you will have to check with your distro for specific settings.


Get the following right for your "variables", fill in your own offcourse:

MYUSERNAMEFORDOMAIN: my system username known in virtualmin

MYDOMAIN: www.example.com

*** 1. First install Let's Encrypt script/programm. ***

Login to SSH and get root privileges (root/sudo -i):

cd /home/user/ && git clone https://github.com/letsencrypt/letsencrypt

OR

cd /root/ && git clone https://github.com/letsencrypt/letsencrypt

^^ This will download the Let's Encrypt from github with executable script

*** 2. Create your directory where you will be saving your certificate later on. Reason for this is because Virtualmin has a protection where it only allows a certificate from the user/domains directory: ***

mkdir /home/MYUSERNAMEFORDOMAIN/ssl_certificates

*** 3. Setup your cronjobs by running: "sudo crontab -e" ***

It wil probably ask you which editor, i choose Nano, once in the editor enter the following somewhere on a new line (pick the option you choose on step 1!):


01 3 1 * * cd /home/user/letsencrypt/ && ./letsencrypt-auto certonly --email info@MYDOMAIN --agree-tos --webroot --renew-by-default -w /home/MYDOMAIN/public_html/ -d www.MYDOMAIN.net -d MYDOMAIN.net --authenticator webroot && cp -f /etc/letsencrypt/live/www.MYDOMAIN.net/cert.pem /home/MYUSERNAMEFORDOMAIN/ssl_certificates/cert.pem && cp -f /etc/letsencrypt/live/www.MYDOMAIN.net/chain.pem /home/MYUSERNAMEFORDOMAIN/ssl_certificates/chain.pem && cp -f /etc/letsencrypt/live/www.MYDOMAIN.net/fullchain.pem /home/MYUSERNAMEFORDOMAIN/ssl_certificates/fullchain.pem && cp -f /etc/letsencrypt/live/www.MYDOMAIN.net/privkey.pem /home/MYUSERNAMEFORDOMAIN/ssl_certificates/privkey.pem


OR


01 3 1 * * cd /root/letsencrypt/ && ./letsencrypt-auto certonly --email info@MYDOMAIN --agree-tos --webroot --renew-by-default -w /home/MYDOMAIN/public_html/ -d www.MYDOMAIN.net -d MYDOMAIN.net --authenticator webroot && cp /etc/letsencrypt/live/www.MYDOMAIN.net/cert.pem /home/MYUSERNAMEFORDOMAIN/ssl_certificates/cert.pem && cp -f /etc/letsencrypt/live/www.MYDOMAIN.net/chain.pem /home/MYUSERNAMEFORDOMAIN/ssl_certificates/chain.pem && cp -f /etc/letsencrypt/live/www.MYDOMAIN.net/fullchain.pem /home/MYUSERNAMEFORDOMAIN/ssl_certificates/fullchain.pem && cp -f /etc/letsencrypt/live/www.MYDOMAIN.net/privkey.pem /home/MYUSERNAMEFORDOMAIN/ssl_certificates/privkey.pem


^^ Above command will copy the certificates to the correct directory after requesting them (i gave a warning in step 2). It will do this every 1st of the month during the night. The reason we do this every month is because the certs are only valid 90 days and we have plenty of time to repair if something appears to be wrong with the cert later on..

NOTE: These next steps will be different depending on what control panel you use. As I use virtualmin I'll explain that part.


*** 3.1 Please log into your Virtualmin admin panel, Select "Webmin -> System -> Scheduled Cron Jobs". Go to your newly created Cronjob by clicking on it and select "RUN NOW".

*** 4. in Virtualmin, select you domain and go to "Edit virtual server", make sure that SSL is enabled under "Enabled features".

*** 5. Under "Server configuration" go to "Manage SSL Certificate". Select the tab "Update Certificate and Key" and under "Signed SSL certificate" select the option "File on server", fill in the location of the certificate: "/home/MYUSERNAMEFORDOMAIN/ssl_certificates/cert.pem"

*** 6. Do the same for section "Matching private key". Select:"/home/MYUSERNAMEFORDOMAIN/ssl_certificates/privkey.pem"

*** 7. Click on "Install Now".

*** 8. Switch to tab "CA Certificate", select "In file on server " and fill in:"/home/MYUSERNAMEFORDOMAIN/ssl_certificates/fullchain.pem"

*** 9. Click on "Save Certificate". ***

DONE! ! ! It will now update every month :)

Go to your website with HTTPS, what do you get??? :D

Skhilled

Thanks, for the detailed instructions on this. It was on the agenda to do this. I do have a HTTPS topic here that discusses some of it but on a more simpler level:

How To Force HTTP to HTTPS

I do have a more details topic but it is in the admin boards. I just never got around to detailing it and posting yet.


EDIT: I should mention that the info in the first post is for those who have access to the server and SSH. If you don't have access to those you should ask your hosting and see if they will install it for you.

Chen Zhen

Just thought I'd give some advice regarding my experience using letsencrypt.
Imo it is easier to use Certbot both for installation & your cron job to renew certificates.

ref.
https://certbot.eff.org/all-instructions/

In most cases if all you have is a CPanel to do installations, it should still have an option to install what you want.
If you have dedicated or VPS then perhaps just use the putty terminal.
All that needs to be done is to make sure the webserver software (ie. Nginx or Apache) is configured to use the proper certificate paths.
The command for the cron job is a lot shorter using certbot.


Skhilled

The hosting for this site uses shared hosting and has Let's encrypt installed on the server by the hosting. The hosting does not allow SSH..that I'm aware of but haven't tried it really. So far, I've had no problems with other than the ones I've posted in the thread I've started.

https://www.docskillz.com/docs/index.php?topic=1214.0

On both of my VPS' I've installed it using a cPanel certified plugin for WHM. It uses one command for the install then you can login into WHM and adjust the settings as needed like auto-renew and even send you emails when they do, if they don't, or when it's time to renew and more. I've had no problems so far with it.

I like to use MobaxTerm instead of putty. It has a lot of pretty good plugins and I can set it so I don't have to enter a password. I have the free version but may upgrade to the pro.

https://mobaxterm.mobatek.net

lurkalot

Got a email from my host for each site I run saying that my cert has been renewed automatically.  Hopefully I don't need to worry about it.

Skhilled

You shouldn't. It works well when properly installed.

I've forgot to add this in my last post for WHM/cPanel users with SSH:

https://blog.cpanel.com/announcing-cpanel-whms-official-lets-encrypt-with-autossl-plugin/