Install Lets Encrypt. Letsencrypt is a service providing a not-for-profit certificate authority run by the Internet Security Research Group. This service only issues domain-validated certificates. This service makes it easy to get and install a free TLS/SSL certificate, which you can enable encrypted HTTPS on the Webserver. Letsencrypt has an auto-installer service called Certbot. With certbot, friends, it will be easier to install TLS/SSL Letsencrypt. Certbot can be used on the Nginx or Apache webserver and supports Ubuntu, Debian and CentOS OS. We can install Lets Encrypt on Ubuntu, Debian and CentOS. For this documentation we did Install Lets Encrypt on Ubuntu. Lets Encrypt also provides several plugins, such as the Lets Encrypt apache and Nginx install plugins.
Requirements Install Let’s Encrypt
- We use Ubuntu Server 20.04, For installation tutorials, see Install Ubuntu Sever 20.04
- Domain name must be registered
- Apache/Nginx already installed
- The DNS A-record must contain the public address of your server
Install Let’s Encrypt Ubuntu
Before starting Install Lets Encrypt Apache, you should know about SSL and why it’s important to use SSL for WEBSITE. SSL or stands for Secure Socket Layer, one of the services that must and is very important in a WEBSITE. By using SSL traffic or data transfer is more secure and encrypted. There are several reasons why it is important to use SSL
- Secure and encrypted data
- Avoid data theft
- Avoid sending wrong data
- Better Website Reputation
To see a website that uses SSL, see the URL that uses HTTPS. There are various kinds of SSL, such as Commercial and Free SSL. Lets Encrypt is a free SSL that can be installed on various platforms. Here’s the documentation on how to Install Lets Encrypt Apache
Install Let's Encrypt on Apache
Here we will explain how to install lets encrypt Apache web server. Follow these steps.
Step 1 – Update System and Install Certbot in Install Lets Encrypt
As explained earlier, to install lets encrypt we will use Certbot. By using Certbot it will be easier to install Let’s Encrypt. Certbot. Certbot is a third-party service that makes it easier to install lets encrypt.
First we will install Certbot, enter the terminal and SSH to the server, update the Repository server.
apt update && apt upgrade -y
If the system has been successfully updated and upgraded, friends download and install several services that support the running of Certbot Lets Encrypt. Follow the following command to start installing Certbot Lets Encrypt
apt install certbot python3-certbot-apache -y
Wait until the process is complete. Once done, we will confirm the Apache Virtualhost configuration. Virtualhost is one that guarantees our success in installing Letsencrypt. Certbot will check Apache Virtualhost to generate SSL using Letsencrypt
Step 2 – Apache Virtual Host Configuration (Install Lets Encrypt)
To create a Certbot Letsencrypt SSL Certificate, make sure the Domain or subdomain to be generated has been registered on the Virtualhost Apache Web server.
Open the file /etc/apache2/sites-available/your_domain.conf, and edit ServerName. in ServerName fill in the Domain name or Subdomain that will be generated using Certbot Let’s Encrypt. Here we give an example with Domain your.domain.com
nano /etc/apache2/sites-available/your_domain.conf
<VirtualHost *:80>
DocumentRoot "/var/www/html/owncloud"
ServerName your.domain.com
..
If the ServerName matches the target to be registered with Let’s Encrypt, then save it. Then restart the Apache service.
systemctl restart apache2
If it is finished, then we will continue to configure UFW or Firewall friends. For Firewall Configuration, you can check the UFW Firewall Configuration
Step 3 – Allow HTTPS Through Firewall
Firewall is computer hardware or software that controls incoming and outgoing traffic on a server. Because in Install Let’s Encrypt we use Apache, so we will open Port 80 and 443, namely HTTP and HTTP to be able to enter and exit the Server. To confirm the Firewall.
You can view the firewall status by using the following command:
ufw status
If the Firewall is off, you can proceed to the next step. But our recommendation, you should turn on the Firewall, so that the Server is protected from attacks and other crimes.
To add permissions for ports 443 and 80 i.e. HTTP and HTTPS, sign in, follow the following command
ufw allow http ufw allow http ufw allow ssh
Then enable Firewall/UFW.
ufw enable
Confirm Firewall status
ufw status
Status: active To Action From -- ------ ---- 80/tcp ALLOW Anywhere 443/tcp ALLOW Anywhere 244 ALLOW Anywhere 80/tcp (v6) ALLOW Anywhere (v6) 443/tcp (v6) ALLOW Anywhere (v6) 244 (v6)
Now you can run Certbot and generate certificates.
Step 4 – Generate Sertifikat SSL
Now we can generate Let’s Encrypt Certbot, Since we are using Apache, we will use the Apache Let’s Encrypt plugin. We will directly generate with one command. Here we create with DNS your.domain.com
certbot --apache -d your.domain.com
The above command is used to generate a Certificate request for the domain we are requesting, and they will ask us to answer and confirm some questions for SSL. Here’s Notice and some you have to answer.
For the first time they will ask for an email address that will be used for notifications if there are updates or other information.
Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator apache, Installer apache Enter email address (used for urgent renewal and security notices) (Enter 'c' to cancel): [email protected]
It then asks you to agree to the terms and conditions of Let’s Encrypt. Confirm by selecting A
Please read the Terms of Service at https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must agree in order to register with the ACME server at https://acme-v02.api.letsencrypt.org/directory - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (A)gree/(C)ancel: A
Enter, and continue whether we agree to provide an Email address to receive other information. Select N
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Would you be willing to share your email address with the Electronic Frontier Foundation, a founding partner of the Let's Encrypt project and the non-profit organization that develops Certbot? We'd like to send you email about our work encrypting the web, EFF news, campaigns, and ways to support digital freedom. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: N
Next, Letsencrypt will verify the domain, wait until the process is complete.
Obtaining a new certificate Performing the following challenges: http-01 challenge for your.domain.com Waiting for verification... Cleaning up challenges Created an SSL vhost at /etc/apache2/sites-available/your.domain.com-le-ssl.conf Deploying Certificate to VirtualHost /etc/apache2/sites-available/your.domain.com-le-ssl.conf Enabling available site: /etc/apache2/sites-available/your.domain.com-le-ssl.conf
Now that the Certificate has been obtained, it will now be asked to choose, whether the HTTP traffic is redirected to HTTPS or not. Recommended we should choose to Redirect to HTTPS, Choose 2
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1: No redirect - Make no further changes to the webserver configuration. 2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for new sites, or if you're confident your site works on HTTPS. You can undo this change by editing your web server's configuration. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2 Redirecting vhost in /etc/apache2/sites-enabled/your.domain.com.conf to ssl vhost in /etc/apache2/sites-available/your.domain.com-le-ssl.conf - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Congratulations! You have successfully enabled https://your.domain.com You should test your configuration at: https://www.ssllabs.com/ssltest/analyze.html?d=your.domain.com
After this generate SSL successfully using Certbot. They will provide our certificate information, where we can see the certificate that was generated earlier. The resulting results are fullchain.pem and privkey.pem
IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/your.domain.com/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/your.domain.com/privkey.pem Your cert will expire on 2022-01-22. To obtain a new or tweaked version of this certificate in the future, simply run certbot again with the "certonly" option. To non-interactively renew *all* of your certificates, run "certbot renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
Now your certificate is installed and configured in Apache. now friends can access the website using https://. The next step is to renew SSL automatically because this certificate is only valid for 90 days or 3 months.
Install Let's Encrypt on Nginx
After we discussed Installing Let’s Encrypt using the Apache plugin, now we will use Let’s Encrypt on the Nginx plugin. Basically, the installation method is the same, only the plugins used are different. Here are the steps to install Let’s Encrypt on Nginx.
Step 1 – Update System and Install Certbot In Install Lets Encrypt
As explained earlier, to install lets encrypt we will use Certbot. By using Certbot it will be easier to install Let’s Encrypt. Certbot. Certbot is a third-party service that makes it easier to install lets encrypt.
First we will install Certbot, enter the terminal and SSH to the server, update the Repository server.
apt update && apt upgrade -y
To create a Certbot Letsencrypt SSL Certificate, make sure the Domain or subdomain to be generated has been
If the system has been successfully updated and upgraded, friends download and install several services that support the running of Certbot Lets Encrypt. Follow the following command to start installing Certbot Lets Encrypt.
apt install certbot python3-certbot-nginx
Wait until the process is complete. Once done, we will confirm the Nginx Virtualhost configuration. The nginx virtualhost is the one that guarantees our success in installing Letsencrypt. Certbot will check Nginx configuration to generate SSL using Letsencrypt
Step 2 – Nginx Virtualhost Configuration (Install Lets Encrypt)
To create a Certbot Letsencrypt SSL Certificate, make sure the Domain or subdomain to be generated is registered on the Virtualhost Nginx Web server.
Open the file nano /etc/nginx/sites-available/your_domain.conf, and edit server_name. In server_name, enter the Domain Name or Subdomain that will be generated using Certbot Let’s Encrypt. Here we provide an example with Domain your.domain.com
nano /etc/nginx/sites-available/your.domain.conf
..
server {
listen 80 default_server;
root /var/www/html;
if ($http_user_agent ~* LWP::Simple|BBBike|wget) {
return 403;
}
index index.html index.htm index.nginx-debian.html;
server_name your.domain.com
return 404;
..
If server_name matches the target that Let’s Encrypt is going to register, then save it. Test the nginx service to make sure whether the configuration is correct or there is an error.
Nginx Status Check
When the configuration has been saved, check the Nginx Web Server status. Use the following command to do it.
nginx -t
If the configuration is correct, the output will be as follows
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok nginx: configuration file /etc/nginx/nginx.conf test is successful
If the server_name matches the target to be registered with Let’s Encrypt, then save it. Then restart the Nginx service.
systemctl restart nginx
If it is finished, then we will continue to configure UFW or Firewall friends. For Firewall Configuration, you can check the UFW Firewall Configuration
Step 3 – Allow HTTPS Through Firewall
A firewall is a computer hardware or software that controls incoming and outgoing traffic on a server. Because in Install Let’s Encrypt we use Nginx, then we will open Port 80 and 443, namely HTTP and HTTP to be able to enter and exit the server. To confirm Firewall.
You can view the firewall status by using the following command:
ufw status
If the Firewall is inactive, you can continue to the next step. But our recommendation, you should turn on the Firewall, so that the Server is protected from attacks and other crimes.
To add permissions for ports 443 and 80 i.e. HTTP and HTTPS, sign in, follow the following command
ufw allow http ufw allow http ufw allow ssh
Then enable Firewall/UFW.
ufw enable
Confirm Firewall status
ufw status
Status: active To Action From -- ------ ---- 80/tcp ALLOW Anywhere 443/tcp ALLOW Anywhere 244 ALLOW Anywhere 80/tcp (v6) ALLOW Anywhere (v6) 443/tcp (v6) ALLOW Anywhere (v6) 244 (v6)
Now you can run Certbot and generate certificates.
Step 4 – Generate Sertifikat SSL
Now we can generate Let’s Encrypt Certbot, Since we are using Nginx, we will use the Nginx Let’s Encrypt plugin. We will directly generate with one command. Here we create with DNS your.domain.com
certbot --nginx -d your.domain.com
The above command is used to generate a Certificate request for the domain we are requesting, and they will ask us to answer and confirm some questions for SSL. Here’s Notice and some you have to answer.
For the first time they will ask for an email address that will be used for notifications if there are updates or other information.
To notice will be the same as Install Let’s Encrypt Apache, you will be asked to enter an Email Address, and Agree to the terms of Let’s Encrypt. After that Let’s Encrypt will generate SSL Certificate and create your.domain.conf file in /etc/nginx/sites-available/ directory.
And the last Let’s Encrypt notice after the Certificate is obtained, it will now be asked to choose, whether the HTTP traffic is redirected to HTTPS or not. Recommended we should choose to Redirect to HTTPS. Choose 2
Output Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1: No redirect - Make no further changes to the webserver configuration. 2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for new sites, or if you're confident your site works on HTTPS. You can undo this change by editing your web server's configuration. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Select the appropriate number [1-2] then [enter] (press 'c' to cancel):
Certbot Auto Update (Install Lets Encrypt)
Because the certificate is only valid for 90 days, we must renew the certificate every time it expires. the Certbot that has been installed already provides a service for updating scripts to /etc/cron.d/, for that we must make sure the Service is running.
systemctl status certbot.timer
● certbot.timer - Run certbot twice daily Loaded: loaded (/lib/systemd/system/certbot.timer; enabled; vendor preset: enabled) Active: active (waiting) since Sun 2021-10-24 16:31:06 WIB; 1h 30min ago Trigger: Mon 2021-10-25 10:59:43 WIB; 16h left Oct 24 16:31:06 pdam systemd[1]: Started Run certbot twice daily.
This service will run twice a day and will renew within 30 days from the expiration date.
To test the update can use the following command.
certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Processing /etc/letsencrypt/renewal/your.domain.com.conf - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Cert not due for renewal, but simulating renewal for dry run Plugins selected: Authenticator apache, Installer apache Renewing an existing certificate Performing the following challenges: http-01 challenge for your.domain.com Waiting for verification... Cleaning up challenges - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - new certificate deployed with reload of apache server; fullchain is /etc/letsencrypt/live/your.domain.com/fullchain.pem - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Processing /etc/letsencrypt/renewal/your.domain.com.conf - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Cert not due for renewal, but simulating renewal for dry run Plugins selected: Authenticator apache, Installer apache Renewing an existing certificate Performing the following challenges: http-01 challenge for your.domain.com Waiting for verification... Cleaning up challenges
If it is successful, it will look like the display above, if the automatic renewal fails, Certbot will send an error message to the email that was registered at the time of Generating the Certificate. For the Official Web Let’s Encrypt.
That’s our documentation about Let’s Encrypt Installation using Certbot. if in doubt you can ask in the comments column and apologize if there are word mistakes. Thank you.
