Setting up Let's Encrypt SSL Certificates

By Blake Nichols |

Setting up SSLs with Let's Encrypt is an easy (and free) way to secure the connections between your users and your web server. Setting it up takes less than 10 minutes will keep your connection secure and save you money from buying certificates.

We will be using the acme.sh script to interact with Let's Encrypt. To help you in the install, you can enter your domain and path for the script into the fields to customize the commands:

Domain:
Path for acme.sh:

Installing acme.sh

The acme.sh script will be used to create and update certificates for your domains. You can install it from their official GitHub repository: https://github.com/acmesh-official/acme.sh

I recommend installing it at /root/.acme.sh/ and setting the file owner to root.

Adding a domain

With your sh script installed, it's time to add your domain to the project. You can run this command, but will need to change the dns and domains (in bold). You can find the list of supported dns registrars here.

cd /root/.acme.sh/

sh acme.sh --issue --dns dns_namecheap -d blakenichols.com -d *.blakenichols.com

Generating the Certificate

With the domain added to your local acme.sh project, it's time to generate the certificates. Replace the domains (-d) in bold with the same as ran in the command above and change the path where the certificates will reside (/etc/... in bold). You will need to create the directory before running.

cd /root/.acme.sh/

sh acme.sh --install-cert -d blakenichols.com -d *.blakenichols.com --cert-file /etc/letsencrypt/live/blakenichols.com/cert.pem --key-file /etc/letsencrypt/live/blakenichols.com/privkey.pem --fullchain-file /etc/letsencrypt/live/blakenichols.com/chain.pem --reloadcmd "sudo service apache2 force-reload"

Updating apache

Now with the valid certificates on your server, its time to add them to the apache config.

<VirtualHost *:443>
    ...

    SSLEngine On
    SSLCertificateFile "/etc/letsencrypt/live/blakenichols.com/chain.pem"
    SSLCertificateKeyFile "/etc/letsencrypt/live/blakenichols.com/privkey.pem"
</VirtualHost>

Be sure to update your SSLCertificateFile and SSLCertificateKeyFile paths to match where they were installed.

Installing the Cron

Now that you've got your site secured, it's time to run the cron once a week to keep your certificates up to date. Add this to your crontab and change the path in bold to your sh file. Its recommended that its owned by root.

@weekly         root    sh /root/.acme.sh/acme.sh --cron

And that's all there is to it! You're site is now secure and certificates will automatically renew.

Next
MySQL Tips
https://cdn.blakenichols.com/blog/9/mysql.png