Free SSL certificates with LetsEncrypt
Getting your website on https can be done in a matter of minutes. So there is no excuse anymore to go without it. Not even on your test and dev websites.
As this example is on CentOS, it really goes for any other linux distro.
Excellent, tailor-made instructions per webserver and OS are found on the website of Certbot:
https://certbot.eff.org/
Here, a short recap of that for my own archive.
You’ll need the repel repository for this. After that, install the certbot software.
$ sudo yum install epel-release $ sudo yum install certbot-nginx
Getting your website secured with SSL is now as simple as answering some questions on the following command.
Note: I’m using a method which takes a bit of downtime because LetsEncrypt is in the middle of an update. Read all about it
$ sudo certbot --authenticator standalone --installer nginx --pre-hook "service nginx stop" --post-hook "service nginx start" Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator standalone, Installer nginx Which names would you like to activate HTTPS for? ------------------------------------------------------------------------------- 1: yoursite.pauledenburg.com ------------------------------------------------------------------------------- Select the appropriate numbers separated by commas and/or spaces, or leave input blank to select all options shown (Enter 'c' to cancel): 2 Running pre-hook command: service nginx stop Error output from service: Redirecting to /bin/systemctl stop nginx.service Obtaining a new certificate Performing the following challenges: http-01 challenge for es.git.innospense.com Waiting for verification... Cleaning up challenges Running post-hook command: service nginx start Error output from service: Redirecting to /bin/systemctl start nginx.service Deployed Certificate to VirtualHost /etc/nginx/sites-enabled/yoursite.pauledenburg.com.conf for set(['yoursite.pauledenburg.com']) Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access. ------------------------------------------------------------------------------- 1: No redirect - Make no further changes to the webserver configuration. 2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for new sites, or if you're confident your site works on HTTPS. You can undo this change by editing your web server's configuration. ------------------------------------------------------------------------------- Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2 Redirecting all traffic on port 80 to ssl in /etc/nginx/sites-enabled/yoursite.pauledenburg.com.conf ------------------------------------------------------------------------------- Congratulations! You have successfully enabled https://yoursite.pauledenburg.com You should test your configuration at: https://www.ssllabs.com/ssltest/analyze.html?d=yoursite.pauledenburg.com ------------------------------------------------------------------------------- IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/es.git.innospense.com/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/es.git.innospense.com/privkey.pem Your cert will expire on 2018-04-24. To obtain a new or tweaked version of this certificate in the future, simply run certbot again with the "certonly" option. To non-interactively renew *all* of your certificates, run "certbot renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
Things which might throw you an error
python-urllib3 version
First caveat for CentOS7 is that you need specific version 1.21 for urllib3. I had 1.22 installed via yum which gave me the following error.
ImportError: No module named 'requests.packages.urllib3'
You can see the currently installed version with pip:
pip freeze | grep urllib
To resolve this, first remove the old version it with yum and then add it with pip:
sudo yum remove python-urllib3 sudo pip install -Iv https://github.com/shazow/urllib3/archive/1.21.1.tar.gz
pyOpenSSL version
Just like urllib3, pyOpenSSL was of an unsupported version.
sudo yum remove pyOpenSSL sudo pip install pyOpenSSL
Error message stating that the CA can’t be satisfied
After running
certbot --nginx
you get the following error:
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.
Due to legal reasons there currently is no
From the github certbot website:
If you’re serving files for that domain out of a directory on Nginx, you can run the following command:
# Webroot method $ sudo certbot --authenticator webroot --installer nginx \ --webroot-path <path to served directory> -d <domain>
If you’re not serving files out of a directory (for instance if you are using proxy_pass), you can temporarily stop your server while you obtain the certificate and restart it after Certbot has obtained the certificate. This would look like:
# Temporary outage method $ sudo certbot --authenticator standalone --installer nginx \ -d <domain> --pre-hook "service nginx stop" --post-hook "service nginx start"