If you have decided to add HTTPS support to your site, you should like to look at Certbot because it's an easy and fast way to accomplish everything you need.
Let's Encrypt & Certbot
Let's Encrypt is a free and automated (via the ACME protocol) certificate authority and, as you may guess, Certbot is one of many available clients for it that makes things really simple.
Install Certbot
We use CentOS 7, and Certbot has prepared instructions that you can copy & paste:
sudo yum install epel-release sudo yum install certbot
They also have instructions for other platforms, check their main page for installation instructions if you use another OS.
Get SSL Certificates
Certbot has a plugin system. The most promising plugin is nginx
, but there are some notes in the docs:
The Nginx plugin is still experimental... Nginx Web Server - currently doesn't work
I have a bunch of virtual servers and didn't want to mess everything up, so I decided to go with another plugin that suited my situation quite well - the webroot
plugin.
The webroot Plugin
The principle of this plugin is quite simple: you point it to your web server's root directory, it creates the .well-known
directory and puts an ACME challenge there. Then, the Let's Encrypt client checks it and this way you confirm that the specified domain is yours. You can get more information about the verification process at Let's Encrypt.
The main benefit of this approach is that you won't need to stop your web server at all. It's also possible to obtain one certificate for many domains at once (so called SAN certificates). Here is how you can achieve this:
certbot certonly --webroot -w /var/www/4devs/example.com/current/web -d example.com -w /var/www/4devs/example2.com/current/web -d sub1.example2.com -d sub2.example2.com
Here we have the following parts:
certonly
- with this command Certbot will only obtain certificates and won't modify your web server's configuration, and won't automatically install them;
--webroot
- this way we specify the plugin we want to use;
-w
- a flag for a web root directory of your web server. After this flag, you just need to write a path;
-d
- a flag to specify a domain. You can use many such flags after -w
flags. It's possible to specify many domains (aliases) if they have the same web root directory.
All generated keys and issued certificates can be found in /etc/letsencrypt/live/$domain
. If you want to get a certificate for multiple domains at once, then you will have only one certificate named by the first mentioned domain. For our example above, we will have to look at /etc/letsencrypt/live/example.com
.
Configure Nginx
Now you need to update your virtual server's configuration:
server { listen 443 ssl http2; server_name <ALL SERVER NAMES FOR A GIVEN CERTIFICATE>; ssl_certificate <PATH TO A fullchain.pem FILE>; ssl_certificate_key <PATH TO A privkey.pem>; }
Don't forget to reload nginx via:
sudo nginx -s reload
Caveats and Limits
There are some limits that Let's Encrypt has and you should be aware of. The most important one is that Let's Encrypt certificates last for 90 days. You don't want to forget to renew your certificates, do you? This can be easily automated.
Automated Certificate Renewal
We'll solve this by using crontab, but, first of all, I recommend you run this command under the user you will configure crontab for and check the output to see if everything is OK.
certbot renew --dry-run
There may be some problems with permissions. If everything is OK, then call crontab -e
and set up a crontab task in it:
# Renew SSL certificates using certbot / let's encrypt (twice/day) X */12 * * * certbot renew —quiet
Note: replace X with a value from 0 to 59.
It's recommended to run this command more frequently than once per 3 months. The task above will be executed twice per day. To understand crontab better, use Crontab Guru suggested by @bfredit. If your certificates are fresh, this command won't do anything.
Conclusions
It took me 5 minutes to configure everything and enjoy the process, so I recommend you try this approach.