In this article we’ll se how to generate a Free SSL certificate with Let’s encrypt,for your web server and webservices API for your applications Android and iPhone.
On this tutorial, we will use CertBot on our Debian server to generate a multi-domain cert.
1 – Install Lets Encrypt
First we need to install the app that make certificates.
In command lines run the following commands in a terminal:
wget https://dl.eff.org/certbot-auto
chmod a+x certbot-auto
./certbot-auto
2 – Generate the SSL certificate
Manual generation:
The best option is to specify the WebRoot in order to allow auto renewal, but in some cases you need to do it manually.
This command will run a temporary local server.
./certbot-auto certonly --manual
Fill your site name with and without « www. », for example:
“www.example.com example.com”
Then run the command indicated in the console by the command in a new terminal.
Automatic generation
The automatic choice is the best one because you can renew automatically after.
./certbot-auto certonly --webroot -w /var/www/example-server/ -d example.com -d www.example.com -d api.example.com
3- Configuring Nginx
Using Certs generated
Few steps to use generated certificates in the directory « /etc/letsencrypt/live/example.com »
cd /etc/letsencrypt/live/example.com
cp fullchain.pem key.crt
cp privkey.pem ssl.key
Configure WebServer
Modify your nginx configuration file to enable SSL:
server {
listen 443 ssl;
server_name example.com;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
}
3- Configuring Apache
Using Certs generated
Few steps to use generated certificates in the directory « /etc/letsencrypt/live/example.com »
cd /etc/letsencrypt/live/example.com
cp cert.pem key.crt
cp chain.pem ssl.ca
cp privkey.pem ssl.key
Configure WebServer
Modify your Apache configuration file to enable SSL:
<VirtualHost *>
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/example.com/ssl.cert
SSLCertificateKeyFile/etc/letsencrypt/live/example.com/ssl.key
SSLCACertificateFile/etc/letsencrypt/live/example.com/ssl.ca
</VirtualHost>
5 – Test the certificate:
It is now crutial to test that your certificate is well installed with the full chain.
Because sometimes it doesn’t work on android beacaus you don’t have the full Cert chain!
openssl s_client -connect nolimitdevelopment.com:443
Here is how a good Certificate chain should look like in the openssl output:
---
Certificate chain
0 s:/CN=www.nolimitdevelopment.com
i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---
5 – Test automatic generation
certbot-auto renew --dry-run
6 – Generate the cron renewal every days!
It is recommanded to run check once or twice per day (it won’t do anything until your certificates are due for renewal or revoked, but running it regularly would give your site a chance of staying online in case a Let’s Encrypt-initiated revocation happened for some reason). Please select a random minute within the hour for your renewal tasks.
If you want to regenerate your certificate, you can do it automatically with the following command (adding a cron job):
$ crontab -e
0 5 * * *
certbot-auto renew –quiet –no-self-upgrade && sudo service nginx reload
Conclusion
You now know how to generate a free SSL certificate that work on your server and mobile Android and iPhone.
If you have a 403 error on WordPress during renew
If you use Apache, just create a .htaccess file in your web root: /.well-known/.htaccess with the following content:
# # Override overly protective .htaccess in webroot # RewriteEngine On Satisfy Any