Here we will detail steps to install a free SSL certificate from Letsencrypt/Certbot.
Note the steps here are for a server using Nginx and CentOS operating system, which is the case if using our deployment manager or setup scripts.
Steps to provision and install a certificate
- Navigate to https://certbot.eff.org/
- Select on "I'm using" section - your web server in the first tab, and OS on the second tab
- If you selected Nginx and CentOS/RHEL 7, then on the next step you need to install their basic package, as below
- Login to your server using a terminal i.e. root SSH into your server
- Run the command
sudo yum install certbot-nginx
- In the terminal, open with editor (preferably the "vi" editor) the file
The command to do this would simply be
- Put your domain name that the certificate will be for in the
server_namesection in the file. Example:
server_name testing.funnelflux.com;. You will need to press
ito switch to insert/edit mode first to make these changes.
- Save the changes in /etc/nginx/conf.d/https.conf by hitting Esc or ctrl+C (to exit insert/edit mode), then typing
:wqand hitting enter. This will save your changes permanently if done correctly.
- After you get back to the SSH prompt, continue installing the certificate by running the command below (as also shown on the certbot page):
sudo certbot --nginx
- Enter all needed details asked for by the certbot command (as from the previous steps) and your certificate should be installed
- If everything was done correctly, you should have the SSL certificate installed. You can now test https://your-domain.com
Note: if you hate editing in terminals, you could use something like WinSCP and log in to your server. This is like FTP but via SSH. You could then find the above files and edit using notepad or similar. However, you will still need terminal access to execute commands for installation.
Renewing certificates (Important!)
Certificates expire after 90 days.
You can renew your certificate manually with the SSH command
certbot renew or create a cron job to do it automatically.
To create a cron job for example that runs every day, open your crontab editor with the SSH command
crontab -e and enter the following line:
0 0,24 * * * python -c 'import random; import time; time.sleep(random.random() * 3600)' && certbot renew
Save the changes on the above (much like earlier, hit Esc and type
Adding certificates for many domains (e.g. CNAMEs)
Many customers will use CNAMEs and will want these to use SSL as well.
Certbot is able to issue "SAN" certificates that can contain many domains.
See the following alterations for using many domains:
- Edit the nginx https.conf as before but put a list of domains instead, e.g.
vi /etc/nginx/conf.d/https.confand then enter something such as:
server_name domain1.com domain2.com sub.domain3.com;
- Install the certificates by specifying each domain:
sudo certbot --nginx -d domain1.com -d domain2.com -d sub.domain3.com
That should be all that is required to provide SSL certificates for multiple domains.