Posted on

How to get FREE SSL certificate for any website?

get free ssl certificate

Get free SSL certificate for your website. Whether you are using shared hosting for your website or you have a VPS or dedicated server, it does not matter, you can get free SSL certificate for your website. On a shared hosting, you can ask your web hosting provider to install Let’s Encrypt in your control panel so that you can install unlimited free SSL certificates on any domain. If you are using an unmanaged VPS or a dedicated server, follow the procedure below to install Let’s Encrypt and get free SSL certificate for unlimited domains.

Getting started with Let’s Encrypt for Free SSL & TLS Certificates

Now it’s time to switch to HTTPS & secure your websites. Let’s Encrypt is an SSL certificate authority that provides free SSL certificates to enhance security. It provides a certificate for TLS encryption. Let’s Encrypt prevents you from hassles of creating manual creation, validation, signing, installation & renewal of SSL certificates and utilizes Automated Certificate Management Environment (ACME) to issue SSL automatically. Let’s Encrypt is managed by Internet Security Research Group (ISRG).

This tutorial will cover the following topics:

  1. How to install Let’s Encrypt ACME client?
  2. How to obtain Let’s Encrypt certificates?
  3. Checkup & Maintenance
  4. Technical details regarding Let’s Encrypt
Note: This tutorial is specific for Ubuntu / Debian and CentOS. Commands may vary depending upon the other distributions of Linux.
Important: The tutorial is written for non-sudo users ( non-root users ). To execute any command with root privileges, you must prefix command with ‘sudo’.

Prerequisites

Before proceeding, you must have a running server on Alibaba Cloud or any other VPS provider of your choice. If you don’t have you can Sign up to get free $300 in credit Alibaba Cloud. Create a new ECS server according to your required demands. If you already have ECS server on Alibaba cloud, you can use it. You can access ECS server via SSH from your Alibaba Cloud console, or you can use Putty to access your Alibaba Cloud server.

get free ssl certificate

 

Step 1: Update Server’s Software Packages

Before you begin to install Let’s Encrypt, you must update your server’s software packages by using the following commands:

CentOS

# sudo yum update && sudo yum upgrade

 

Ubuntu / Debian

# sudo apt-get update && sudo apt-get upgrade

 

get free ssl certificate

 

You will be asked to enter your password. Enter your password for the logged as user.

After entering passwords, you will be asked “Do you want to continue? [Y/n]”

Press ‘Y’ & then press enter key.

 

get free ssl certificate

Step 2: Install Git

In the second step, you will have to install Git on your server to begin installation of Let’s Encrypt from official GitHub repository. To install Git, use the following commands:

 

CentOS

# sudo yum install git

 

Ubuntu / Debian

# sudo apt-get install git

 

You will be asked to enter your password. Enter your password for the logged as user.

get free ssl certificate

After entering passwords, you will be asked “Do you want to continue? [Y/n]”

Press ‘Y’ & then press enter key.

get free ssl certificate

 

Step 3: Download & Install Let’s Encrypt

Get your clone of Let’s Encrypt from official GitHub repository and install it to

/opt/letsencrypt

Execute the following command to clone:

Ubuntu / Debian / CentOS

# sudo git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt

You will be asked to enter your password after executing the command. Enter your password for the logged as user.

get free ssl certificate

Navigate to new directory /op/letsencrypt using the commands below:

# cd /opt/letsencrypt

get free ssl certificate

Note: /opt is a commonly used installation directory for 3rd party packages, you can change if you can handle easily.

Step 4: Create SSL certificate

Certificate Authority (CA) will authenticate your domain based on challenges that Let’s Encrypt performs automatically for Domain Validation using a series of challenges. Once your Alibaba Cloud has been validated, you will be issued SSL certificate by Certificate Authority (CA).

Note: Each domain & its sub-domain will have its own separate certificate. Let’s Encrypt does not issue wildcard certificates.

To create SSL certificate for a single domain using Let’s Encrypt, use the following command:

# sudo -H ./letsencrypt-auto certonly --standalone -d myweb.com
Note: myweb.com will be replaced by your own domain.

To create SSL certificate for more than 1 website, you can add -d myweb.com to the end of command. See the following command:

# sudo -H ./letsencrypt-auto certonly --standalone -d myweb1.com -d myweb2.com

 

You will be asked to enter your password after executing the command. Enter your password for the logged as user.

get free ssl certificate

After executing the above command, you will be asked to enter email address. Put email address here, it will be used later in case to regain control of lost certificate & receive security notices urgently. Press “TAB” button to navigate to given options and press “Enter” to select operation.

 

get free ssl certificate

 

Agree to terms & conditions as shown below.

get free ssl certificate

If the process went great, you will see the message below. The appearance of this message tells that Let’s Encrypt has approved & issued certificates for your desired domains.

IMPORTANT NOTES:

- If you lose your account credentials, you can recover them through

  e-mails sent to [email protected]

- Congratulations! Your certificate and chain have been saved at

  /etc/letsencrypt/live/myweb.com/fullchain.pem. Your

  cert will expire on 2018-02-28. To obtain a new version of the

  certificate in the future, simply run Let's Encrypt again.

- Your account credentials have been saved in your Let's Encrypt

  configuration directory at /etc/letsencrypt. You should make a

  secure backup of this folder now. This configuration directory will

  also contain certificates and private keys obtained by Let's

  Encrypt, so making regular backups of this folder is ideal.

- If you like Let's Encrypt, please consider supporting our work by:



  Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate

  Donating to EFF:                    https://eff.org/donate-le

 

Structure of Let’s Encrypt Directory

  1. List the files in /etc/letsencrypt/live directory by using the following command:

 

# sudo ls /etc/letsencrypt/live

 

  1. Each domain for which you created SSL certificate has its own directory. List these domain name directories using the following command:
# sudo ls /etc/letsencrypt/live/myweb.com

 

After execution of the above command, you will see output:

 

cert.pem

chain.pem

fullchain.pem

privkey.pem


Each output file has different purpose:

  1. pem: shows server certificate only
  2. pem: shows intermediate & root certificates only
  3. pem: shows combination of root, server and intermediate certificates
  4. pem: It is a private key. It must not be shared with anyone.

Identrust cross-signs the certificates and ensures compatibility between different browsers and certificate.

These files point to different file. These are their symbolic links to actual certificate files. Actual certificate files are located in /etc/letsencrypt/archive directory.

You can see the status of fullchain.pem by executing following command:

# sudo stat /etc/letsencrypt/live/myweb.com/fullchain.pem

Output will be:

File: ‘live/myweb.com/cert.pem’ -> ‘../../archive/myweb.com/cert1.pem’

 

Note: In case if you forget to renew your domain’s SSL certificate, Let’s Encrypt will remove directory from /etc/letsencrypt/live but it will be retained in /etc/letsencrypt/keys & /etc/letsencrypt/archive. 

Maintenance:

How to renew SSL certificates?

To renew SSL certificate issued using Let’s Encrypt, follow the steps below:

  1. Navigate to /opt/letsencrypt directory by executing the command below:
# cd /opt/letsencrypt

 

  1. Execute the following command to renew SSL:
#sudo -H ./letsencrypt-auto certonly --standalone --renew-by-default -d mydomain1.com -d www.mydomain2.com

 

If the process went great, you will see a confirmation message as:

IMPORTANT NOTES:- Congratulations! Your certificate and chain have been saved at  /etc/letsencrypt/live/example.com/fullchain.pem. Your  cert will expire on 2018-02-28. To obtain a new version of the  certificate in the future, simply run Let's Encrypt again.- If you like Let's Encrypt, please consider supporting our work by:   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate  Donating to EFF:                    https://eff.org/donate-le

 

Note: Let’s Encrypt SSL expires in 3 months (90 days). So, you must renew it in within 90 days of issuance date.