Free HTTPS Certificate with Let's Encrypt

Last Updated:

Introduction

You can get a free SSL/TLS certificate from Let's Encrypt, a service by the Electronic Frontier Foundation (EFF). Here we're creating a machine and installing Let's Encrypt certbot. This can be your local computer or a temporary cloud machine, it's up to you. If you are not using Debian 11 or CentOS Stream 8, consider using a temporary machine with one of these operating systems to follow along.

Let's Encrypt Strategy

We'll be using a DNS entry to validate control of our domain with Let's Encrypt. There are other ways to accomplish validation like responding with a normal HTML file on your webserver. However, this is my preferred approach and is far more straightforward. If you don't have control over the DNS and need a different option, contact me.

Install Certbot

Installing Certbot on Debian

  
    # Debian 11
    sudo apt-get update;
    sudo apt-get install -y certbot;
  

Installing Certbot on CentOS Stream 8

  
    # CentOS Stream 8
    sudo yum install -y epel-release;
    sudo yum install -y certbot;
  

Let's Encrypt Hook for DNS

This downloads a custom hook for the Let's Encrypt validation via DNS.

  
    # Download Let's Encrypt Hook
    sudo curl -o /etc/letsencrypt/acme-dns-auth.py https://raw.githubusercontent.com/joohoi/acme-dns-certbot-joohoi/master/acme-dns-auth.py;
    sudo chmod 700 /etc/letsencrypt/acme-dns-auth.py;

    # Update Hook to use Python 3
    sudo sed -i "s/env python/env python3/" /etc/letsencrypt/acme-dns-auth.py;
  

Request Certificate

Now we request the certificate from Let's Encrypt.

  
    # Generate Certificate
    sudo /usr/bin/certbot \
      certonly \
      --manual \
      --manual-auth-hook /etc/letsencrypt/acme-dns-auth.py \
      --preferred-challenges dns \
      --debug-challenges \
      -d "*.example.com" \
      -d "example.com";
  

Answering Prompts

When you first run this command, you'll be prompted for an email address and to accept the Terms of Service. Then you'll see the DNS record we need to create. In this example, line 8 tells us to create a CNAME Record with "_acme-challenge" as the key, and "07b7bb80-2352-4015-9ca3-28c8052ac8d0.auth.acme-dns.io" (no period at the end) as the value. Set this to the shortest "TTL" (Time to Live) available to you. After you've created the record wait a moment to let the DNS record take effect and press Enter.

  
      Requesting a certificate for *.example.com and example.com
      Performing the following challenges:
      dns-01 challenge for example.com
      dns-01 challenge for example.com
      Running manual-auth-hook command: /etc/letsencrypt/acme-dns-auth.py
      Output from manual-auth-hook command acme-dns-auth.py:
      Please add the following CNAME record to your main DNS zone:
      _acme-challenge.example.com CNAME 07b7bb80-2352-4015-9ca3-28c8052ac8d0.auth.acme-dns.io.

      Running manual-auth-hook command: /etc/letsencrypt/acme-dns-auth.py
      Waiting for verification...

      - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Challenges loaded. Press continue to submit to CA. Pass "-v" for more info about
      challenges.
      - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Press Enter to Continue
  

Download Your Certificate

The "fullchain1.pem" file is the certificate, and "privkey1.pem" is the private key. Download both of these for later use.

  
    ls -la /etc/letsencrypt/archive/example.com/
    total 28
    drwxr-xr-x 2 root root 4096 May 11 11:31 .
    drwx------ 3 root root 4096 May 11 11:31 ..
    -rw-r--r-- 1 root root 1854 May 11 11:31 cert1.pem
    -rw-r--r-- 1 root root 3749 May 11 11:31 chain1.pem
    -rw-r--r-- 1 root root 5603 May 11 11:31 fullchain1.pem
    -rw------- 1 root root 1704 May 11 11:31 privkey1.pem
  

Keep This Machine?

You can either keep this machine around to run "certbot renew" and renew the certificate in ~3 months, or you can destroy the machine once you have downloaded the certificate and private key files. If you delete the machine, you can create a new machine and repeat the process when you are ready to renew.

Tags: