SSL certificates using Certbot & Let's Encrypt

For the past several years, browsers have moved toward a more secure web by strongly advocating that sites adopt HTTPS encryption. In this post we'll look at how to obtain a domain validated ssl certificate using Let's Encrypt & Certbot via the manual plugin. All in under 5 minutes. And its free!

If you're in a hurry and just need the steps, click here to look at the steps for obtaining a certificate

via: https://security.googleblog.com/2018/02/a-secure-web-is-here-to-stay.html
If you prefer to watch videos, here's a recording of this topic.

Before you begin, its important to understand some basics.

Types of certificates

A certificate authority (CA) issues a certificate after validating the subject information included in the certificate. Certificates issued can be:

  • via Domain Validation (DV) - here the CA will only verify the domain name, and not verify anything additional.
  • via Organisation Validation (DV) - the CA will verify your business, and you will need to provide acceptable business documents for them to verify this. Your company information will be shown on the certificate itself.
  • via Extended Validation (DV) - the CA will verify your business ownership. You will need to provide acceptable business documents or both your company and ownership details.

What are we getting?

Since we're using Let’s Encrypt, our certificates are standard Domain Validation (DV) certificates. You can use them for any server that uses a domain name, like web servers, mail servers, FTP servers, and many more.

In this post I'll show you how to obtain a certificate using the manual approach. Using this approach, we can obtain a certificate by running certbot on a machine other than your target server.

For domain validation, a Certificate Authority verifies that whoever requests the certificate controls the domain that it protects. So to get a certificate using certbot you'll need to prove you own the domain either:

  • via the DNS challenge by adding a TXT DNS record to your domain ... OR ...
  • via the HTTP challenge by placing a file with a specific name and specific content in the /.well-known/acme-challenge/ directory directly in the servers web root.

Pre-requisites

  1. You'll need access to a system where you have admin privileges. In my case, I spun up an ubuntu server VM for testing.
  2. Either
    1. The ability to add a TXT record to your domain ... OR ...
    2. Have a running web server and have the ability to add content to the server's web root.

Obtaining a certificate

For those who just want to get started, have a look at this video detailing the steps...

  1. Install Certbot on your machine
sudo apt-get update
sudo snap install --classic certbot

Here we are using a snap to install certbot on an ubuntu machine. If you're running something else, look at this article to see other ways of installing certbot.

  1. Obtain a certificate using DNS Validation
sudo certbot certonly \
    --manual \
    --preferred-challenges=dns \
    --email admin@your-domain.com \
    --server https://acme-v02.api.letsencrypt.org/directory \
    --work-dir=. --config-dir=. --logs-dir=.  \
    --agree-tos \
    -d your-site.your-domain.com

Remember to replace admin@your-domain.com with your email & your-site.your-domain.com with your domain.

  1. Since you've used a DNS challenge, certbot will ask you to add a TXT record on your domain. It should look something like this ..

Things you should know

For those of you who are more patient, here's some other useful information you must know.

What is lets encrypt?

Let’s Encrypt is a free, automated, and open certificate authority (CA), run for the public’s benefit. It is a service provided by the Internet Security Research Group (ISRG).

FAQ
Last updated: Apr 23, 2020 | See all Documentation This FAQ is divided into the following sections: General Questions Technical Questions General Questions What services does Let’s Encrypt offer? Let’s Encrypt is a global Certificate Authority (CA). We let people and organizations arou…
Learn more about Let's Encrypt here ...

What is Certbot?

Certbot is a fully-featured, extensible client for the Let’s Encrypt CA (or any other CA that speaks the ACME protocol) that can automate the tasks of obtaining certificates and configuring webservers to use them.

Introduction — Certbot 1.7.0.dev0 documentation
Automatically enable HTTPS on your website with EFF’s Certbot, deploying Let’s Encrypt certificates.
Learn more about certbot here ...