Here we will detail steps to install a free SSL certificate from Letsencrypt/Certbot.
Note the steps here are for a server using Nginx and CentOS operating system, which is the case if using our deployment manager or setup scripts.
Steps to provision and install a certificate
Navigate to https://certbot.eff.org/
Select on "I'm using" section - your web server in the first tab, and OS on the second tab
If you selected Nginx and CentOS/RHEL 7, then on the next step you need to install their basic package, as below
Login to your server using a terminal i.e. root SSH into your server
Run the command
sudo yum install certbot-nginx
In the terminal, open with editor (preferably the "vi" editor) the file
/etc/nginx/conf.d/https.conf
.
The command to do this would simply bevi /etc/nginx/conf.d/https.conf
Put your domain name that the certificate will be for in the
server_name
section in the file. Example:server_name testing.funnelflux.com;
. You will need to pressi
to switch to insert/edit mode first to make these changes.Save the changes in /etc/nginx/conf.d/https.conf by hitting Esc or ctrl+C (to exit insert/edit mode), then typing
:wq
and hitting enter. This will save your changes permanently if done correctly.After you get back to the SSH prompt, continue installing the certificate by running the command below (as also shown on the certbot page):
sudo certbot --nginx
Enter all needed details asked for by the certbot command (as from the previous steps) and your certificate should be installed
If everything was done correctly, you should have the SSL certificate installed. You can now test https://your-domain.com
Note: if you hate editing in terminals, you could use something like WinSCP and log in to your server. This is like FTP but via SSH. You could then find the above files and edit using notepad or similar. However, you will still need terminal access to execute commands for installation.
Renewing certificates (Important!)
Certificates expire after 90 days.
You can renew your certificate manually with the SSH command certbot renew
or create a cron job to do it automatically.
To create a cron job for example that runs every day, open your crontab editor with the SSH command crontab -e
and enter the following line:
0 0,24 * * * python -c 'import random; import time; time.sleep(random.random() * 3600)' && certbot renew
Save the changes on the above (much like earlier, hit Esc and type :wq
)
Adding certificates for many domains (e.g. CNAMEs)
Many customers will use CNAMEs and will want these to use SSL as well.
Certbot is able to issue "SAN" certificates that can contain many domains.
See the following alterations for using many domains:
Edit the nginx https.conf as before but put a list of domains instead, e.g.
vi /etc/nginx/conf.d/https.conf
and then enter something such as:
server_name domain1.com domain2.com sub.domain3.com;
Install the certificates by specifying each domain:
sudo certbot --nginx -d domain1.com -d domain2.com -d sub.domain3.com
That should be all that is required to provide SSL certificates for multiple domains.