For the past several years, browsers have moved toward a more secure web by strongly advocating that sites adopt HTTPS encryption. In this post we'll look at how to obtain a domain validated ssl certificate using Let's Encrypt & Certbot via the manual plugin. All in under 5 minutes. And its free!
If you're in a hurry and just need the steps, click here to look at the steps for obtaining a certificate
Before you begin, its important to understand some basics.
Types of certificates
A certificate authority (CA) issues a certificate after validating the subject information included in the certificate. Certificates issued can be:
via Domain Validation (DV)- here the CA will only verify the domain name, and not verify anything additional.via Organisation Validation (DV)- the CA will verify your business, and you will need to provide acceptable business documents for them to verify this. Your company information will be shown on the certificate itself.via Extended Validation (DV)- the CA will verify your business ownership. You will need to provide acceptable business documents or both your company and ownership details.
What are we getting?
Since we're using Let’s Encrypt, our certificates are standard Domain Validation (DV) certificates. You can use them for any server that uses a domain name, like web servers, mail servers, FTP servers, and many more.
In this post I'll show you how to obtain a certificate using the manual approach. Using this approach, we can obtain a certificate by running certbot on a machine other than your target server.
For domain validation, a Certificate Authority verifies that whoever requests the certificate controls the domain that it protects. So to get a certificate using certbot you'll need to prove you own the domain either:
- via the DNS challenge by adding a
TXT DNSrecord to your domain ... OR ... - via the HTTP challenge by placing a file with a specific name and specific content in the
/.well-known/acme-challenge/directory directly in the servers web root.
Pre-requisites
- You'll need access to a system where you have admin privileges. In my case, I spun up an ubuntu server VM for testing.
- Either
- The ability to add a
TXT recordto your domain ... OR ... - Have a running web server and have the ability to add content to the server's web root.
- The ability to add a
Obtaining a certificate
For those who just want to get started, have a look at this video detailing the steps...
- Install Certbot on your machine
sudo apt-get update
sudo snap install --classic certbot
Here we are using a snap to install certbot on an ubuntu machine. If you're running something else, look at this article to see other ways of installing certbot.
- Obtain a certificate using DNS Validation
sudo certbot certonly \
--manual \
--preferred-challenges=dns \
--email admin@your-domain.com \
--server https://acme-v02.api.letsencrypt.org/directory \
--work-dir=. --config-dir=. --logs-dir=. \
--agree-tos \
-d your-site.your-domain.com
Remember to replace
admin@your-domain.comwith your email &your-site.your-domain.comwith your domain.
- Since you've used a DNS challenge, certbot will ask you to add a
TXTrecord on your domain. It should look something like this ..
Things you should know
For those of you who are more patient, here's some other useful information you must know.
What is lets encrypt?
Let’s Encrypt is a free, automated, and open certificate authority (CA), run for the public’s benefit. It is a service provided by the Internet Security Research Group (ISRG).
What is Certbot?
Certbot is a fully-featured, extensible client for the Let’s Encrypt CA (or any other CA that speaks the ACME protocol) that can automate the tasks of obtaining certificates and configuring webservers to use them.
