How to get FREE SSL certificate for any website?
Get free SSL certificate for your website. Whether you are using shared hosting for your website or you have a VPS or dedicated server, it does not matter, you can get free SSL certificate for your website. If you are using these hosts recommended for wordpress, you can ask your web hosting provider to install Let’s Encrypt in your control panel so that you can install unlimited free SSL certificates on any domain. If you are using an unmanaged VPS or a dedicated server, follow the procedure below to install Let’s Encrypt and get free SSL certificate for unlimited domains.
Getting started with Let’s Encrypt for Free SSL & TLS Certificates
Now it’s time to switch to HTTPS & secure your websites. Let’s Encrypt is an SSL certificate authority that provides free SSL certificates to enhance security. It provides a certificate for TLS encryption. Let’s Encrypt prevents you from hassles of creating manual creation, validation, signing, installation & renewal of SSL certificates and utilizes Automated Certificate Management Environment (ACME) to issue SSL automatically. Let’s Encrypt is managed by Internet Security Research Group (ISRG).
This tutorial will cover the following topics:
- How to install Let’s Encrypt ACME client?
- How to obtain Let’s Encrypt certificates?
- Checkup & Maintenance
- Technical details regarding Let’s Encrypt
Note:
This tutorial is specific for Ubuntu / Debian and CentOS. Commands may vary depending upon the other distributions of Linux.
Important:
The tutorial is written for non-sudo users ( non-root users ). To execute any command with root privileges, you must prefix command with ‘sudo’.
Prerequisites
You will require Putty to access your VPS via SSH.
Step 1: Update Server’s Software Packages
Before you begin to install Let’s Encrypt, you must update your server’s software packages by using the following commands:
CentOS
# sudo yum update && sudo yum upgrade |
Ubuntu / Debian
# sudo apt-get update && sudo apt-get upgrade |
You will be asked to enter your password. Enter your password for the logged as user.
After entering passwords, you will be asked “Do you want to continue? [Y/n]”
Press ‘Y’ & then press enter key.
Step 2: Install Git
In the second step, you will have to install Git on your server to begin installation of Let’s Encrypt from official GitHub repository. To install Git, use the following commands:
CentOS
# sudo yum install git |
Ubuntu / Debian
# sudo apt-get install git |
You will be asked to enter your password. Enter your password for the logged as user.
After entering passwords, you will be asked “Do you want to continue? [Y/n]”
Press ‘Y’ & then press enter key.
Step 3: Download & Install Let’s Encrypt
Get your clone of Let’s Encrypt from official GitHub repository and install it to
/opt/letsencrypt
Execute the following command to clone:
Ubuntu / Debian / CentOS
# sudo git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt |
You will be asked to enter your password after executing the command. Enter your password for the logged as user.
Navigate to new directory /op/letsencrypt using the commands below:
# cd /opt/letsencrypt |
Note: /opt
is a commonly used installation directory for 3
rd
party packages, you can change if you can handle easily.
Step 4: Create SSL certificate
Certificate Authority (CA) will authenticate your domain based on challenges that Let’s Encrypt performs automatically for Domain Validation using a series of challenges. Once your Alibaba Cloud has been validated, you will be issued SSL certificate by Certificate Authority (CA).
Note:
Each domain & its sub-domain will have its own separate certificate. Let’s Encrypt does not issue wildcard certificates.
To create SSL certificate for a single domain using Let’s Encrypt, use the following command:
# sudo -H ./letsencrypt-auto certonly –standalone -d myweb.com |
Note:
myweb.com will be replaced by your own domain.
To create SSL certificate for more than 1 website, you can add -d myweb.com to the end of command. See the following command:
# sudo -H ./letsencrypt-auto certonly –standalone -d myweb1.com -d myweb2.com |
You will be asked to enter your password after executing the command. Enter your password for the logged as user.
After executing the above command, you will be asked to enter email address. Put email address here, it will be used later in case to regain control of lost certificate & receive security notices urgently. Press “TAB” button to navigate to given options and press “Enter” to select operation.
Agree to terms & conditions as shown below.
If the process went great, you will see the message below. The appearance of this message tells that Let’s Encrypt has approved & issued certificates for your desired domains. IMPORTANT NOTES: - If you lose your account credentials, you can recover them through e-mails sent to somebody@.example.com. - Congratulations! Your certificate and chain have been saved at /etc/letsencrypt/live/myweb.com/fullchain.pem. Your cert will expire on 2018-02-28. To obtain a new version of the certificate in the future, simply run Let's Encrypt again. - Your account credentials have been saved in your Let's Encrypt configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Let's Encrypt, so making regular backups of this folder is ideal. - If you like Let's Encrypt, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
Structure of Let’s Encrypt Directory
- List the files in /etc/letsencrypt/live directory by using the following command:
# sudo ls /etc/letsencrypt/live |
- Each domain for which you created SSL certificate has its own directory. List these domain name directories using the following command:
# sudo ls /etc/letsencrypt/live/myweb.com |
After execution of the above command, you will see output:
cert.pem chain.pem fullchain.pem privkey.pem
Each output file has different purpose:
- pem: shows server certificate only
- pem: shows intermediate & root certificates only
- pem: shows combination of root, server and intermediate certificates
- pem: It is a private key. It must not be shared with anyone.
Identrust cross-signs the certificates and ensures compatibility between different browsers and certificate.
These files point to different file. These are their symbolic links to actual certificate files. Actual certificate files are located in /etc/letsencrypt/archive directory.
You can see the status of fullchain.pem by executing following command:
# sudo stat /etc/letsencrypt/live/myweb.com/fullchain.pem |
Output will be:
File: ‘live/myweb.com/cert.pem’ -> ‘../../archive/myweb.com/cert1.pem’ |
Note
: In case if you forget to renew your domain’s SSL certificate, Let’s Encrypt will remove directory from
/etc/letsencrypt/live
but it will be retained in
/etc/letsencrypt/keys
&
/etc/letsencrypt/archive
.
Maintenance:
How to renew SSL certificates?
To renew SSL certificate issued using Let’s Encrypt, follow the steps below:
- Navigate to /opt/letsencrypt directory by executing the command below:
# cd /opt/letsencrypt |
- Execute the following command to renew SSL:
#sudo -H ./letsencrypt-auto certonly –standalone –renew-by-default -d mydomain1.com -d www.mydomain2.com |
If the process went great, you will see a confirmation message as:
IMPORTANT NOTES:- Congratulations! Your certificate and chain have been saved at /etc/letsencrypt/live/example.com/fullchain.pem. Your cert will expire on 2018-02-28. To obtain a new version of the certificate in the future, simply run Let's Encrypt again.- If you like Let's Encrypt, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
Note:
Let’s Encrypt SSL expires in 3 months (90 days). So, you must renew it in within 90 days of issuance date.