SSL: How to generate free SSL certificates with Certbot (Let's Encrypt)

Harry Lee

May 31, 2016

Don’t know how to configure SSL certificate? Just started learning about how to deploy your own secure website but don’t want to spend money purchasing a SSL certificate? Let’s Encrypt (now Certbot) is here to save the day!

Background

Let’s Encrypt is a free, automated, and open Certificate Authority.

Let’s Encrypt is an official Certificate Authority. This means that the SSL certificate provided/generated by Let’s Encrypt is recognised by all browsers as being legitimate. This is different from self-signed certificates which do not fly if you want HTTPS enabled for your publicly accessible website.

Before you begin, it goes without saying that you will have to own the domain that you are generating the certificate for. This post assumes that you have deployed a web server and have shell access to it.

Note that Let’s Encrypt certificates expire every 3 months. So the certificates will have to be renewed before it expires to ensure uninterrupted service.

Set Up

This post assumes that you are obtaining the certificates only. If you want to configure Certbot for your specific web server, you can have a look at this list.

  1. Clone the Certbot Github repository.

  2. Make certbot-auto executable.

        $ sudo chmod a+x ./certbot-auto
    
    1. Execute:
        $ sudo ./certbot-auto certonly \
            --standalone \
            --email <your-admin@email.com> \
            -d <your-domain.com>
    
    • <your-admin@email.com> is the admin email address that Let’s Encrypt will use to communicate with you.
    • <your-domain.com> is the domain that you want to generate the certificate for. You cannot create wild card certificates with Let’s Encrypt, but you can tie multiple domains to one certificate. Simply add another -d option with your domain/sub-domain.
  3. Follow the prompts.

  4. The certificate will be installed to /etc/letsencrypt/live/your-domain-name/.

  5. All done! You can now copy the .pem files to your configuration directory.

    • fullchain.pem consists of the server certificate as well as the chain certificate.
    • privkey.pem is the server key.

Troubleshoot

If you get an error: setuptools pkg_resources pip wheel failed with error code 1 then run the following:

$ export LC_ALL="en_US.UTF-8"
$ export LC_CTYPE="en_US.UTF-8"

Conclusion

Setting up Let’s Encrypt using Certbot is not difficult at all. The only downside for using Let’s Encrypt is the 3 months expiration, which can get quite annoying. However, the renewing process can be automated by using a cronjob.