In this article we'll see how to generate a free SSL certificate with Let's Encrypt, for your web server and webservices API for your Android and iPhone applications.
In this tutorial, we will use CertBot on our Debian server to generate a multi-domain certificate.
1 – Install Let's Encrypt
First we need to install the application that generates certificates.
Run the following commands in a terminal:
wget https://dl.eff.org/certbot-auto
chmod a+x certbot-auto
./certbot-auto
2 – Generate the SSL certificate
Manual generation
The best option is to specify the WebRoot in order to allow auto renewal, but in some cases you need to do it manually.
This command will run a temporary local server:
./certbot-auto certonly --manual
Fill your site name with and without "www.", for example:
www.example.com example.com
Then run the command indicated in the console in a new terminal.
Automatic generation
The automatic choice is the best one because you can renew automatically afterwards:
./certbot-auto certonly --webroot -w /var/www/example-server/ -d example.com -d www.example.com -d api.example.com
3 – Configuring Nginx
Using generated certificates
Few steps to use generated certificates in the directory /etc/letsencrypt/live/example.com:
cd /etc/letsencrypt/live/example.com
cp fullchain.pem key.crt
cp privkey.pem ssl.key
Configure the web server
Modify your Nginx configuration file to enable SSL:
server {
listen 443 ssl;
server_name example.com;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
}
4 – Configuring Apache
Using generated certificates
cd /etc/letsencrypt/live/example.com
cp cert.pem key.crt
cp chain.pem ssl.ca
cp privkey.pem ssl.key
Configure the web server
Modify your Apache configuration file to enable SSL:
<VirtualHost *>
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/example.com/ssl.cert
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/ssl.key
SSLCACertificateFile /etc/letsencrypt/live/example.com/ssl.ca
</VirtualHost>
5 – Test the certificate
It is crucial to test that your certificate is properly installed with the full chain. Sometimes it doesn't work on Android because you don't have the full certificate chain!
openssl s_client -connect nolimitdevelopment.com:443
Here is how a good certificate chain should look like in the openssl output:
---
Certificate chain
0 s:/CN=www.nolimitdevelopment.com
i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---
6 – Test automatic renewal
certbot-auto renew --dry-run
7 – Set up daily automatic renewal with cron
It is recommended to check once or twice per day. The renewal process won't do anything until your certificates are due for renewal or revoked.
crontab -e
Add the following line:
0 5 * * * certbot-auto renew --quiet --no-self-upgrade && sudo service nginx reload
Conclusion
You now know how to generate a free SSL certificate that works on your server and on Android and iPhone mobile applications.
Troubleshooting: 403 error on WordPress during renewal
If you use Apache, create a .htaccess file in your web root at /.well-known/.htaccess with the following content:
# Override overly protective .htaccess in webroot
RewriteEngine On
Satisfy Any