Using Let’s Encrypt SSL certs on your site

Summary

Since the early 2010s, there has been a strong push towards security and encryption on the internet. To encourage encryption, Google will prioritize your site higher if it’s encrypted, even if your content is not as good.

In general, setting up an SSL certificate for your site is not that difficult, as long as you’re willing to let your hosting provider do that work for you and pay for their work.

For me, at 1and1, it costs me around $70 per year for multi-subdomain SSL encryption per domain. They have a cheaper, single domain certificate for $30 per year. Now you might think, neither $70 or $30 seem that high to me. And that’s true, if you only have 1 or 2 domains. But what if you have 5 domains and you want encryption for the subdomains therein? Now you are looking at $350 per year for just encryption.

This is the reason I looked into Let’s Encrypt certificates. They are free, though I strongly recommend you donate to their efforts, and while not all hosting providers make it easy for you to use the Let’s Encrypt certificates, you can pretty much use them anywhere.

Details

Important note, these instructions are for setting up an SSL cert on a machine other than the host. Meaning, if you run your own server, either via VPS or cloud, or an actual physical host, you should follow these instructions: https://certbot.eff.org/

However, if you are like me, and you have a shared hosting contract and cannot install certbot on the host and therefore require to get the certificates on a different machine, please follow these instructions:

Steps

  • Begin the process of getting the certificates by using –manual so the certificates are not installed locally when finished (You may need to do it  as sudo as certbot will create a log in /var/log/…).
sudo certbot certonly --manual
  • Enter the appropriate email address
  • Accept the terms of service
  • Decide whether or not to share your email address
  • Enter the domains for which you want to create a certificate. You can create as many as you want, they just need to be comma-separated. For example:
domain1.com, sub.domain1.com, sub2.domain1.com, domain2.com, domain3.com, sub.domain3.com
  • Enter Yes for the IP being logged
  • For each domain you entered in the step above, you will need to validate ownership. For this step certbot will ask you to create a file under
/home/<your-user>/www/.well-known/acme-challenge
  • So if you entered 2 entries (domains or sub-domains) above, you will need to create 2 files under the location above. Below is an example:
Create a file containing just this data:
xqIp_322onZb-HoSQOV2WOBxVjVbj9LBUEaEQ.F13uE1z6yJ7yryfWPyI_Wt3DrKfeCTp8UOVIfE

And make it available on your web server at this URL:
http://domain.com/.well-known/acme-challenge/xqIp_KmB32Zb-HoSQOV2MBxVjVbj9LBUEaEQ
  • In the example above you would do the following:
SSH to the host of your application or site
Navigate to /home/<your-username>/www/.well-known/acme-challenge
echo "xqIp_322onZb-HoSQOV2WOBxVjVbj9LBUEaEQ.F13uE1z6yJ7yryfWPyI_Wt3DrKfeCTp8UOVIfE" > xqIp_KmB32Zb-HoSQOV2MBxVjVbj9LBUEaEQ
  • Do that for all of the entries.
  • If the process is successful you should get this:
Press Enter to Continue
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/domain.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/domain.com/privkey.pem

Your cert will expire on 2018-05-10. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
  • At this point the certificates have been created and ready for use. You will now need to copy them over to your host. The certificate is under the fullchain.pem file and the private key under the privkey.pem file. In my case, I had to copy and paste the contents of both files into my hosting provider SSL manager tool.
  • To view the certificate do this (note these are only examples)
sudo cat /etc/letsencrypt/live/domain.com/fullchain.pem
-----BEGIN CERTIFICATE-----
MIIEABAgISA9UkNCCjBf0l4QW25YR/wl18MA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xODAyMTIxODExNDdaFw0x
ODA1MTMxODExNDdaMBcxTBgNVBAMTDGRvY3RvcjQ2LmNvbTCCASIwDQYJKoZI
hvcNAQEBBQADggEPADCCAQoCggEBAKNZRZgaoQPAkqIicKNlrKCN36MIkRM3yL6U
QGjuEz8vQmvRyEykrTBRwvHDhTn5xtwiEw
HwYDVR0jBBgwFoAUqEpqYwR93brm0Tm3pkVl7/Oo7KEwbwYIKwYBBQUHAQEEYzBh
MC4GCCsGAQUFBzABhiJodHRwOi8vb2NzcC5pbnQteDMubGV0c2VuY3J5cHQub3Jn
MC8GCCsGAQUFBzAChiNodHRwOi8vY2VydC5pbnQteDMubGV0c2VuY3J5cHQub3Jn
LzAXBgNVHREEEDAOggxkb2N0b3I0Ni5jb20yZXBvc2l0b3J5LzANBgkq
hkiG9w0BAQsFAAOCAQEAj1ZhOYDs+ZOJlpePRu0ozEFhlsdkscT2GN66v4cLAjdt
vdjg49nFJawHCk5ZMN9vOkIXBUYPnqs2VxJHOExEl6UjXqKTOoGmW/O0LK8RqCA+
1eGA8gBKNC3AUiK0hSDdf7wD+KmbTZqELYeEq4LrtUpn598Xz0jAGk+v9MwHRI/w
7o5ipSWq53hsiRyYqfHifiwscDkHhlmNMDOnwgLR25Cw1gDlg3o6hpqVKenyk7Jj
pGOwOj3sEIrbbfv1d8rTOjKrJAGf2JVyTlCLD/v6SGEzkzfL3o22bFKbcATQrRtA
tY9qlV1OqaSz/hjL3zTYcy+uI3VHz7czL7n6ZPuxNg==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
gAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow
SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT
GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIYwfwYIKwYBBQUHAQEEczBxMDIG
CCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNv
bTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9k
c3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAw
VAYDVR0gBE0wSzAIBgjsoTANBgkqhkiG9w0BAQsF
AAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJo
uM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/
wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu
X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG
PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6
KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg==
-----END CERTIFICATE-----
  • Not there are “two” certificates, you only need to copy and paste the first one. Also, make sure to copy and paste the “Begin” and “End” certificate parts (copy lines 2 – 19)
  • The same will apply to the private key under privkey.pem.

That’s it, you should now have FREE SSL encryption working on your host and you have saved enough money for a well-deserved cup of coffee.

Footnotes