Free HTTPS Certificate with Let's Encrypt
You can get a free SSL/TLS certificate from Let's Encrypt, a service by the Electronic Frontier Foundation (EFF). Here we're creating a machine and installing Let's Encrypt certbot. This can be your local computer or a temporary cloud machine, it's up to you. If you are not using Debian 11 or CentOS Stream 8, consider using a temporary machine with one of these operating systems to follow along.
Let's Encrypt Strategy
We'll be using a DNS entry to validate control of our domain with Let's Encrypt. There are other ways to accomplish validation like responding with a normal HTML file on your webserver. However, this is my preferred approach and is far more straightforward. If you don't have control over the DNS and need a different option, contact me.
Installing Certbot on Debian
# Debian 11 sudo apt-get update; sudo apt-get install -y certbot;
Installing Certbot on CentOS Stream 8
# CentOS Stream 8 sudo yum install -y epel-release; sudo yum install -y certbot;
Let's Encrypt Hook for DNS
This downloads a custom hook for the Let's Encrypt validation via DNS.
# Download Let's Encrypt Hook sudo curl -o /etc/letsencrypt/acme-dns-auth.py https://raw.githubusercontent.com/joohoi/acme-dns-certbot-joohoi/master/acme-dns-auth.py; sudo chmod 700 /etc/letsencrypt/acme-dns-auth.py; # Update Hook to use Python 3 sudo sed -i "s/env python/env python3/" /etc/letsencrypt/acme-dns-auth.py;
Now we request the certificate from Let's Encrypt.
# Generate Certificate sudo /usr/bin/certbot \ certonly \ --manual \ --manual-auth-hook /etc/letsencrypt/acme-dns-auth.py \ --preferred-challenges dns \ --debug-challenges \ -d "*.example.com" \ -d "example.com";
When you first run this command, you'll be prompted for an email address and to accept the Terms of Service. Then you'll see the DNS record we need to create. In this example, line 8 tells us to create a CNAME Record with "_acme-challenge" as the key, and "07b7bb80-2352-4015-9ca3-28c8052ac8d0.auth.acme-dns.io" (no period at the end) as the value. Set this to the shortest "TTL" (Time to Live) available to you. After you've created the record wait a moment to let the DNS record take effect and press Enter.
Requesting a certificate for *.example.com and example.com Performing the following challenges: dns-01 challenge for example.com dns-01 challenge for example.com Running manual-auth-hook command: /etc/letsencrypt/acme-dns-auth.py Output from manual-auth-hook command acme-dns-auth.py: Please add the following CNAME record to your main DNS zone: _acme-challenge.example.com CNAME 07b7bb80-2352-4015-9ca3-28c8052ac8d0.auth.acme-dns.io. Running manual-auth-hook command: /etc/letsencrypt/acme-dns-auth.py Waiting for verification... - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Challenges loaded. Press continue to submit to CA. Pass "-v" for more info about challenges. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Press Enter to Continue
Download Your Certificate
The "fullchain1.pem" file is the certificate, and "privkey1.pem" is the private key. Download both of these for later use.
ls -la /etc/letsencrypt/archive/example.com/ total 28 drwxr-xr-x 2 root root 4096 May 11 11:31 . drwx------ 3 root root 4096 May 11 11:31 .. -rw-r--r-- 1 root root 1854 May 11 11:31 cert1.pem -rw-r--r-- 1 root root 3749 May 11 11:31 chain1.pem -rw-r--r-- 1 root root 5603 May 11 11:31 fullchain1.pem -rw------- 1 root root 1704 May 11 11:31 privkey1.pem
Keep This Machine?
You can either keep this machine around to run "certbot renew" and renew the certificate in ~3 months, or you can destroy the machine once you have downloaded the certificate and private key files. If you delete the machine, you can create a new machine and repeat the process when you are ready to renew.