Security

Secure Your Domain With Let’s Encrypt Free and Forever

Secure Your Domain With Let’s Encrypt Free and Forever

Reading Time: 6 minutes

You have to make sure that your domain is secure nowadays. Search engines often ranks you website and your competitors get ranked much higher than you because their domain is secure. I you are running an E-commerce website then of course there is nothing more to say, you have to get that green lock on top of the address bar and of course you users and readers privacy is also something you want to keep safe. In this blog post I rather show you how to quickly get the HTTPS green lock for your domain and website served with apache and won’t get into the details of what SSL/TLS certificates are.

Let’s Encrypt is a certificate authority (a company that got the stamp from the “internet” to give domains ssl/tls certificates) that gives you a free certificate for a few months (I think 3 months as for the date this article posted). In this tutorial we will get the certificate, install it and create a script that run the certificate creation process automatically every month (with a tool called Lego which is a Let’s Encrypt’s tool written in a Go language). The process I will show you done on a Linux (Debian) machine and for an Apache server but of course could be done similarly for other web servers (such as Nginx etc.).

Before we start please make sure you backup all the files we are about to change, I take no responsibility on something that will broke because some commands are not suitable with the versions or tools you use.

So first thing is to download and install the Lego tool. You have to have secure access to the shell of your machine in order to get it work. Please run the following commands on your terminal window:

cd /tmp
curl -s https://api.github.com/repos/xenolf/lego/releases/latest | grep browser_download_url | grep linux_amd64 | cut -d '"' -f 4 | wget -i -
# please check the version number of the lego tool, you can see it in the terminal after it downloaded (the tar file should be named with the version number) or here https://github.com/xenolf/lego/releases
# in the next command please replace A.B.C with the version number
tar xf lego_vA.B.C_linux_amd64.tar.xz
sudo mv lego /usr/local/bin/lego

Next thing is to get the certificate for the domain:

  1. Shut down your apache server
    sudo service apache2 stop
    
  2. Please run the following command and replace the MY_EMAIL@EXAMPLE.COM and MYDOMAIN.DOMAIN with the real values
    sudo lego --email="MY_EMAIL@EXAMPLE.COM" --domains="MYDOMAIN.DOMAIN" --path="/etc/lego" run
    
  3. You probably will have to got through some steps and agree to some terms.
  4. You should now see the certificates (as at least 2 files .key and .crt)
    cd /etc/lego/certificates
    ls -la
    

The following step is relevant to Apache users. You also may find the paths are not relative to you set up on the machine but this is pretty much the same on most of the setups. You need to find the Apache .conf file your server uses this is probably will be located in /etc/apache2/sites-enabled (for example wordpress.conf or if you use bitnami you can find it in /opt/bitnami/apps/myapp/conf/).

  1. BACKUP YOUR OLD .CRT AND .KEY FILES IF YOU HAVE THEM.
  2. Open your .conf file with text editor (vi or nano or whatever editor you prefer)
    cd /etc/apache2/sites-enabled
    sudo vi wordpress.conf
    
  3. Under the <VirtualHost *:443> and just before it closes with </VirtualHost> please add the following
    SSLEngine on
    SSLCertificateFile "/etc/lego/certificates/DOMAIN.key"
    SSLCertificateKeyFile "/etc/lego/certificates/DOMAIN.key"
    

    replace of course the DOMAIN with the relevant file names we got from above.

  4. Start your apache
    sudo service apache2 start
    

Final step is to automate this process and make your certificate update automatically once a month.

  1. Create a file /etc/lego/renew.sh
    sudo vi renew.sh
    and paste this code inside (again please replace the constants with relevant values)

    #!/bin/bash
    sudo service apache2 stop
    sudo /usr/local/bin/lego --email="EMAIL-ADDRESS" --domains="DOMAIN" --path="/etc/lego" renew
    sudo service apache2 start
    
  2. make this file executable
    sudo chmod +x /etc/lego/renew.sh
    
  3. add the execution of this script to crontab so it will happen once a month (on the 1st day of each month)
    sudo crontab -e
    
  4. add the following line at the bottom of this file
    0 0 1 * * /etc/lego/renew.sh 2&> /dev/null
    

You domain should be secured now with a fresh and free certificate.

Secure website

Resources:

Cheers.