Using Certbot Manually for SSL certificates
Let’s Encrypt has become one of the most important organizations for creating a secure Internet. Let’s Encrypt is a free, automated, and open certificate authority (CA), run for the public’s benefit, a service provided by the Internet Security Research Group (ISRG). They give people the digital certificates they need in order to enable HTTPS (SSL/TLS) for websites for free of cost. It is supported by EFF, ISRG, Linux Foundation, Google, Facebook, and more company. In February 2020, they have issued their our billionth certificate
The key principles behind Let’s Encrypt are(as in their website):
- Free: Anyone who owns a domain name can use Let’s Encrypt to obtain a trusted certificate at zero cost valid for 9 days.
- Automatic: Software running on a web server can interact with Let’s Encrypt to painlessly obtain a certificate, securely configure it for use, and automatically take care of renewal mostly known as certbot.
- Secure: Let’s Encrypt will serve as a platform for advancing TLS security best practices, both on the CA side and by helping site operators properly secure their servers.
- Transparent: All certificates issued or revoked will be publicly recorded and available for anyone to inspect.
- Open Source: The automatic issuance and renewal protocol will be published as an open standard that others can adopt.
Certbot is a free, open-source software tool for automatically using Let’s Encrypt certificates on manually-administrated websites to enable HTTPS. It’s mostly built over python by Electronic Frontier Foundation (EFF). Almost many of the shared and some cloud hosting providers integrate certbot or an equivalent plugin in the website hosting panel which allows you to get, renew, and manage SSL/TLS certificates using some buttons.
In this article we are going to learn how to get an SSL certificate by using certbot manually which can help you to understand how certbot works, I will be using Ubuntu(you can use any UNIX like operating system) for this tutorial.
- Certbot is meant to be run directly on a web server. You can use your PC for this tutorial
- Make sure you have python installed which makes installation faster
- Its better to have root privileges
For Ubuntu or Debian systems you can use APT to install certbot
sudo apt-get install certbot
After you have installed type this long command
certbot certonly –manual -d *.exampledomain.com -d exampledomain.com –agree-tos –manual-public-ip-logging-ok –preferred-challenges dns-01 –server https://acme-v02.api.letsencrypt.org/directory –register-unsafely-without-email –rsa-key-size 4096
Going into the command
- certbot: the certbot program
- certonly: run the certbot once, certbot-auto runs certbot automatically
- manual: run certbot in manual mode
- d: domains to be included in certificate, use your domain an its wildcard instead of exampledomain.com
- agree-tos: agreeing terms of Service of letsencrypt and eff
- manual-public-ip-logging-ok: logging IP of our the system you are using for security purposes
- preferred-challenges: The way used to verify domain ownership, We used DNS challenge
- server: The letsencrypt ACME server
- register-unsafely-without-email: getting certificate without register unsafely without email, but while in production use email to receive information about getting, renewing and revoking of certificate
- rsa-key-size: the length of RSA key size
By this time you can see something like the below picture
Now log into your DNS manager and add TXT record with the acme-challenge, don’t change the acme-challenge
After the verification is complete, certbot will get an SSL certificate for your domain. You can find SSL certificate in /etc/letsencrypt/live/exampledomain.com/ folder