The year 2016 started with a couple of free SSL certificate solutions. CloudFlare offers a free certificate for all their customers; Amazon joined with AWS Certificate Manager, and Let's Encrypt is in public beta. Today I want to show you how easy it is to get a free certificate from Let's Encrypt and automatically renew it in the future. I'll provide the commands for an Amazon Linux AMI, but they are similar for other Linux distributions.
There are some things you should know about Let's Encrypt:
- Certificates last only 90 days.
- You are "forced" to automate the process. Actually, this is great, and I'll show you how to do it.
- They do not offer wildcard certificates.
Requirements
- An email address. You may get useful information about your certificates.
- The domain pointing to a directory on the server, that's accessible on the Internet. Let's Encrypt servers will access a file on http://example.com/some_secret_file_name to validate that you own the domain.
- Clearly understand that Let's Encrypt is currently in beta, and you will be running a beta version software on your server.
The commands
Install some requirements for the following steps.
yum install python27-devel git
Clone the letsencrypt repository and run the installer.
git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt
/opt/letsencrypt/letsencrypt-auto --debug
Create a config file that will be used for new certificates and renewals. It contains the private key size and your email address.
echo "rsa-key-size = 4096" >> /etc/letsencrypt/config.ini
echo "email = email@example.com" >> /etc/letsencrypt/config.ini
Request a certificate for your domain and it's www subdomain. You must also specify the root directory of the domain.
/opt/letsencrypt/letsencrypt-auto certonly --webroot -w /var/www/yourdomainroot -d yourdomain.com -d www.yourdomain.com --config /etc/letsencrypt/config.ini --agree-tos
Remove the directory that was used for validation. This step is optional.
rmdir /var/www/yourdomainroot/.well-known
The certificates are located at /etc/letsencrypt/live/ and the last thing is to update your webserver's configuration. For apache it will look like this:
Listen 443
<VirtualHost *:443>
ServerName yourdomain.com
DocumentRoot "/var/www/yourdomainroot"
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/yourdomain.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/yourdomain.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/yourdomain.com/chain.pem
SSLProtocol All -SSLv2 -SSLv3
SSLHonorCipherOrder on
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS"
</VirtualHost>
Be sure to add the renew command in a crontab. Refresing your webserver command should also be here.
/opt/letsencrypt/letsencrypt-auto renew --config /etc/letsencrypt/config.ini --agree-tos && apachectl graceful
That's it. I hope it was helpful.