DEV Community

Victoria
Victoria

Posted on

Install free SSL certificate on your server using Certbot

This instruction will help you to install SSL certificate on your server using Certbot

1. Create an elastic IP for the EC2 instance you are integrating.

  1. Click Allocate new address in the Elastic IPs page.
  2. Then, click Allocate in the next page.
  3. Right-click the row of the newly created elastic IP, and click Associate address.
  4. Choose the EC2 instance you are integrating.

2. Create a DNS record for the domain you are integrating (GoDaddy in this example).

In this article I assume that you already have bought your domain.

  1. Go to the DNS Management page.
  2. Click Add in the Records section.
  3. Choose A for Type.
  4. Enter @ for Host.
  5. Enter the elastic IP you just created for Points to.
  6. Click Save.
  7. Wait for changes to reflect (This takes at least 600 seconds to reflect, depending on the TTL you specified).

3. Connect to the EC2 instance you are integrating.

3.1. Update Operating System

sudo apt update && sudo apt upgrade -y
Enter fullscreen mode Exit fullscreen mode

3.2. Install Nginx

sudo apt install nginx
Enter fullscreen mode Exit fullscreen mode
Verify that Nginx is running
sudo systemctl status nginx
Enter fullscreen mode Exit fullscreen mode

Output:

 nginx.service - A high performance web server and a reverse proxy server
     Loaded: loaded (/lib/systemd/system/nginx.service; enabled; vendor preset: enabled)
     Active: active (running)
       Docs: man:nginx(8)
    Process: 30128 ExecStartPre=/usr/sbin/nginx -t -q -g daemon on; master_process on; (code=exited, status=0/SUCCESS)
    Process: 30129 ExecStart=/usr/sbin/nginx -g daemon on; master_process on; (code=exited, status=0/SUCCESS)
   Main PID: 30218 (nginx)
      Tasks: 2 (limit: 2196)
     Memory: 10.1M
        CPU: 77ms
     CGroup: /system.slice/nginx.service
             ├─30218 "nginx: master process /usr/sbin/nginx -g daemon on; master_process on;"
             └─30221 "nginx: worker process"
Enter fullscreen mode Exit fullscreen mode

3.3. Install Certbot

sudo apt install certbot python3-certbot-nginx 
Enter fullscreen mode Exit fullscreen mode
Verify that Certbot is installed by running the following command:
certbot --version
Enter fullscreen mode Exit fullscreen mode

Output:

certbot 1.21.0
Enter fullscreen mode Exit fullscreen mode

3.4. Configure Nginx Server

Navigate to /etc/nginx/sites-available directory and run the following command to create a configuration file for your installation:
sudo nano /etc/nginx/sites-available/your-domain.com.conf
Enter fullscreen mode Exit fullscreen mode
Add the following lines to the file:
server {
    listen 80;
    server_name your-domain.com www.your-domain.com;

    location / {
        proxy_pass http://your-elastic-ip; # Replace with your elastic IP
        include proxy_params;
    }

    location ~ /.well-known/acme-challenge {
        allow all;
        root /var/www/html;
    }
    error_log /var/log/nginx/your-domain.com.error;
    access_log /var/log/nginx/your-domain.com.access;
}
Enter fullscreen mode Exit fullscreen mode

Remember to replace your-domain.com with the domain name of your server.

Save and exit the configuration file.
Enable the new configuration file:
sudo ln -s /etc/nginx/sites-available/your-domain.com.conf /etc/nginx/sites-enabled/your-domain.com.conf
Enter fullscreen mode Exit fullscreen mode
Check Nginx syntax:
sudo nginx -t
Enter fullscreen mode Exit fullscreen mode

Output:

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
Enter fullscreen mode Exit fullscreen mode
Restart Nginx:
sudo systemctl restart nginx
Enter fullscreen mode Exit fullscreen mode

3.5. Obtain SSL Certificate

Run the following command to obtain SSL certificate:
sudo certbot --nginx
Enter fullscreen mode Exit fullscreen mode

You will be prompted to enter your email address and agree to the terms of service. Then, you will be asked if you want to redirect HTTP traffic to HTTPS. Choose your option and press Enter.

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Enter email address (used for urgent renewal and security notices)
 (Enter 'c' to cancel): admin@your-domain.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.3-September-21-2022.pdf. You must
agree in order to register with the ACME server. Do you agree?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y
Enter fullscreen mode Exit fullscreen mode

Then you will be asked if you want to share your email address with the Electronic Frontier Foundation. Choose your option and press Enter.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: N
Enter fullscreen mode Exit fullscreen mode

Next, you will be asked to select the domain on which you want to install the Let’s Encrypt SSL:

Which names would you like to activate HTTPS for?
Account registered.

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: your-domain.com
2: www.your-domain.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):
Enter fullscreen mode Exit fullscreen mode
Enter the number corresponding to your domain name and press Enter.
If the SSL certificate is successfully obtained, certbot displays a message to show the configuration was successful:
IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/your-domain.com.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/your-domain.com/privkey.pem
   Your cert will expire on 2024-08-12. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le
Enter fullscreen mode Exit fullscreen mode

You can now open your website using https://, and you’ll notice a green lock icon.

3.6. Verifying Certbot Auto-Renewal

The Certbot logs are the best place to start when verifying auto-renewal. The logs will contain information about any renewal attempts and any errors that may have occurred. You can access the Certbot logs by running the following command:

sudo cat /var/log/letsencrypt/letsencrypt.log'
Enter fullscreen mode Exit fullscreen mode

You can test the renewal process by manually running the Certbot renewal command. To do this, run the following command:

sudo certbot renew --dry-run
Enter fullscreen mode Exit fullscreen mode

This will simulate a renewal attempt and will provide you with information about the outcome. If the renewal was successful, you should see a message indicating that the certificates were successfully renewed.

Check the Certificate Expiration Date.

Finally, you can check the expiration date of your certificate to ensure that it has been renewed. You can do this by visiting your website and checking the certificate information in your browser’s security settings.
If you encounter any issues with the auto-renewal process, it is recommended that you reach out to the Let’s Encrypt community or consult the Certbot documentation for assistance.

Revoking Let’s Encrypt certificates

To revoke a Let’s Encrypt SSL certificate, you can use the certbot revoke command.

First, stop your Nginx web server:
sudo systemctl stop nginx
Enter fullscreen mode Exit fullscreen mode
Run the certbot revoke command, specifying the certificate you want to revoke:
sudo certbot revoke --cert-path /etc/letsencrypt/live/your-domain.com/fullchain.pem
Enter fullscreen mode Exit fullscreen mode

You’ll need to replace /etc/letsencrypt/live/your-domain.com/fullchain.pem with the actual path to your certificate file.

Start your web server again:
systemctl start nginx
Enter fullscreen mode Exit fullscreen mode

After revoking the certificate, the certificate will no longer be trusted by browsers and will no longer work for encrypting your website traffic.
This is useful if, for example, you need to transfer the domain to another owner or if you suspect that your private key has been compromised.

Useful links and resources

Top comments (0)