Here we will detail steps to install a free SSL certificate from Letsencrypt/Certbot.

Note the steps here are for a server using Nginx and CentOS operating system, which is the case if using our deployment manager or setup scripts.


Steps to provision and install a certificate

  1. Navigate to https://certbot.eff.org/
  2. Select on "I'm using" section - your web server in the first tab, and OS on the second tab 
  3. If you selected Nginx and CentOS/RHEL 7, then on the next step you need to install their basic package, as below
  4. Login to your server using a terminal i.e. root SSH into your server
  5. Run the command sudo yum install certbot-nginx 
  6. In the terminal, open with editor (preferably the "vi" editor) the file /etc/nginx/conf.d/https.conf .
    The command to do this would simply be vi /etc/nginx/conf.d/https.conf 
  7. Put your domain name that the certificate will be for in the server_name  section in the file. Example: server_name testing.funnelflux.com; . You will need to press i  to switch to insert/edit mode first to make these changes.
  8. Save the changes in /etc/nginx/conf.d/https.conf by hitting Esc or ctrl+C (to exit insert/edit mode), then typing :wq and hitting enter. This will save your changes permanently if done correctly.
  9. After you get back to the SSH prompt, continue installing the certificate by running the command below (as also shown on the certbot page):
    sudo certbot --nginx 
  10. Enter all needed details asked for by the certbot command (as from the previous steps) and your certificate should be installed
  11. If everything was done correctly, you should have the SSL certificate installed. You can now test https://your-domain.com


Note: if you hate editing in terminals, you could use something like WinSCP and log in to your server. This is like FTP but via SSH. You could then find the above files and edit using notepad or similar. However, you will still need terminal access to execute commands for installation.


Renewing certificates (Important!)

Certificates expire after 90 days. 

You can renew your certificate manually with the SSH command certbot renew  or create a cron job to do it automatically.

To create a cron job for example that runs every day, open your crontab editor with the SSH command crontab -e  and enter the following line:

0 0,24 * * * python -c 'import random; import time; time.sleep(random.random() * 3600)' && certbot renew


Save the changes on the above (much like earlier, hit Esc and type :wq )


Adding certificates for many domains (e.g. CNAMEs)

Many customers will use CNAMEs and will want these to use SSL as well.

Certbot is able to issue "SAN" certificates that can contain many domains.

See the following alterations for using many domains:

  1. Edit the nginx https.conf as before but put a list of domains instead, e.g. vi /etc/nginx/conf.d/https.conf  and then enter something such as:
    server_name domain1.com domain2.com sub.domain3.com; 
  2. Install the certificates by specifying each domain:
    sudo certbot --nginx -d domain1.com -d domain2.com -d sub.domain3.com 

That should be all that is required to provide SSL certificates for multiple domains.

Did this answer your question?