Since the early 2010s, there has been a strong push towards security and encryption on the internet. To encourage encryption, Google will prioritize your site higher if it’s encrypted, even if your content is not as good.
In general, setting up an SSL certificate for your site is not that difficult, as long as you’re willing to let your hosting provider do that work for you and pay for their work.
For me, at 1and1, it costs me around $70 per year for multi-subdomain SSL encryption per domain. They have a cheaper, single domain certificate for $30 per year. Now you might think, neither $70 or $30 seem that high to me. And that’s true, if you only have 1 or 2 domains. But what if you have 5 domains and you want encryption for the subdomains therein? Now you are looking at $350 per year for just encryption.
This is the reason I looked into Let’s Encrypt certificates. They are free, though I strongly recommend you donate to their efforts, and while not all hosting providers make it easy for you to use the Let’s Encrypt certificates, you can pretty much use them anywhere.
Important note, these instructions are for setting up an SSL cert on a machine other than the host. Meaning, if you run your own server, either via VPS or cloud, or an actual physical host, you should follow these instructions: https://certbot.eff.org/
However, if you are like me, and you have a shared hosting contract and cannot install certbot on the host and therefore require to get the certificates on a different machine, please follow these instructions:
- Begin the process of getting the certificates by using –manual so the certificates are not installed locally when finished (You may need to do it as sudo as certbot will create a log in /var/log/…).
sudo certbot certonly --manual
- Enter the appropriate email address
- Accept the terms of service
- Decide whether or not to share your email address
- Enter the domains for which you want to create a certificate. You can create as many as you want, they just need to be comma-separated. For example:
domain1.com, sub.domain1.com, sub2.domain1.com, domain2.com, domain3.com, sub.domain3.com
- Enter Yes for the IP being logged
- For each domain you entered in the step above, you will need to validate ownership. For this step certbot will ask you to create a file under
- So if you entered 2 entries (domains or sub-domains) above, you will need to create 2 files under the location above. Below is an example:
Create a file containing just this data: xqIp_322onZb-HoSQOV2WOBxVjVbj9LBUEaEQ.F13uE1z6yJ7yryfWPyI_Wt3DrKfeCTp8UOVIfE And make it available on your web server at this URL: http://domain.com/.well-known/acme-challenge/xqIp_KmB32Zb-HoSQOV2MBxVjVbj9LBUEaEQ
- In the example above you would do the following:
SSH to the host of your application or site Navigate to /home/<your-username>/www/.well-known/acme-challenge echo "xqIp_322onZb-HoSQOV2WOBxVjVbj9LBUEaEQ.F13uE1z6yJ7yryfWPyI_Wt3DrKfeCTp8UOVIfE" > xqIp_KmB32Zb-HoSQOV2MBxVjVbj9LBUEaEQ
- Do that for all of the entries.
- If the process is successful you should get this:
Press Enter to Continue Waiting for verification... Cleaning up challenges IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/domain.com/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/domain.com/privkey.pem Your cert will expire on 2018-05-10. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
- At this point the certificates have been created and ready for use. You will now need to copy them over to your host. The certificate is under the fullchain.pem file and the private key under the privkey.pem file. In my case, I had to copy and paste the contents of both files into my hosting provider SSL manager tool.
- To view the certificate do this (note these are only examples)
sudo cat /etc/letsencrypt/live/domain.com/fullchain.pem -----BEGIN CERTIFICATE----- MIIEABAgISA9UkNCCjBf0l4QW25YR/wl18MA0GCSqGSIb3DQEBCwUA MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xODAyMTIxODExNDdaFw0x ODA1MTMxODExNDdaMBcxTBgNVBAMTDGRvY3RvcjQ2LmNvbTCCASIwDQYJKoZI hvcNAQEBBQADggEPADCCAQoCggEBAKNZRZgaoQPAkqIicKNlrKCN36MIkRM3yL6U QGjuEz8vQmvRyEykrTBRwvHDhTn5xtwiEw HwYDVR0jBBgwFoAUqEpqYwR93brm0Tm3pkVl7/Oo7KEwbwYIKwYBBQUHAQEEYzBh MC4GCCsGAQUFBzABhiJodHRwOi8vb2NzcC5pbnQteDMubGV0c2VuY3J5cHQub3Jn MC8GCCsGAQUFBzAChiNodHRwOi8vY2VydC5pbnQteDMubGV0c2VuY3J5cHQub3Jn LzAXBgNVHREEEDAOggxkb2N0b3I0Ni5jb20yZXBvc2l0b3J5LzANBgkq hkiG9w0BAQsFAAOCAQEAj1ZhOYDs+ZOJlpePRu0ozEFhlsdkscT2GN66v4cLAjdt vdjg49nFJawHCk5ZMN9vOkIXBUYPnqs2VxJHOExEl6UjXqKTOoGmW/O0LK8RqCA+ 1eGA8gBKNC3AUiK0hSDdf7wD+KmbTZqELYeEq4LrtUpn598Xz0jAGk+v9MwHRI/w 7o5ipSWq53hsiRyYqfHifiwscDkHhlmNMDOnwgLR25Cw1gDlg3o6hpqVKenyk7Jj pGOwOj3sEIrbbfv1d8rTOjKrJAGf2JVyTlCLD/v6SGEzkzfL3o22bFKbcATQrRtA tY9qlV1OqaSz/hjL3zTYcy+uI3VHz7czL7n6ZPuxNg== -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- gAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/ MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT DkRTVCBSb290IENDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOC AQ8AMIIYwfwYIKwYBBQUHAQEEczBxMDIG CCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNv bTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9k c3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAw VAYDVR0gBE0wSzAIBgjsoTANBgkqhkiG9w0BAQsF AAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJo uM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/ wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6 KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg== -----END CERTIFICATE-----
- Not there are “two” certificates, you only need to copy and paste the first one. Also, make sure to copy and paste the “Begin” and “End” certificate parts (copy lines 2 – 19)
- The same will apply to the private key under privkey.pem.
That’s it, you should now have FREE SSL encryption working on your host and you have saved enough money for a well-deserved cup of coffee.
- Don’t forget the certificate is only for 90 days. This means you will need to renew it 4 times per year.
- More information on certbot is here
- More information on Let’s Encrypt is here