Free SSL certificates with Let’s encrypt, step by step

Let’s encrypt is a Certificate Authority (CA) run by Internet Security Research Group (ISRG), and is sponsored by some of the biggest name in the web industry

You are probably here to create a certificate, not get a history lesson ! so Let me cut the chase, for those who want to know more, there is always wikipedia (Let’s encrypt on Wikipedia)

So let’s encrypt provides certificates for domain names, including wildcard certificates (Which I will get to by the end of this article), What we are going through here is the manual process, which serves to give you a taste of how things work, in practice, you are encouraged to use on of the automated methods for multiple reasons, one compelling such reason is that Let’s encrypt issues certificates valid for three months only ! You don’t want to have to cater to your certificate every three months do you ?

To simplify things, I will create a step by step video to demonstrate the creation process ! and post it here, but for now, I will simply take you through the steps, in this tutorial, all you need is SSH access to any server including one you have at home ! or even maybe a virtual machine running Linux inside your windows computer, anything goes, once you have a certificate, you can move it to your production server, this allows me to keep this as general as possible, and this is done using the –manual option, So without further ado, let me get to it

1- login to a linux server and install certbot, the tool that allows you to get certificates from let’s encrypt, On the official website, they promote the use of SNAP, here, I will skip snap and use Debian’s repository ! simpler and there is no need to get into snap

apt install certbot

Now that you have certbot, let us create a certificate for the domain example.com (replace it with your own)

certbot certonly --manual --preferred-challenges http

The –preferred-challenges directive allows you to specify what challenge (http or dns) you would like to perform, the manual plugin is basically the same as webroot plugin but not automated, which is a hassle to keep up to date as this form of issuance needs to be renewed manually every 3 months, (You can take extra steps to automate this) which i will describe later on another post to keep things tidy

Now, as soon as you enter the above, you will enter an interactive dialogue with the following steps

Note: If you want to create a wildcard certificate for your domain name, let’s encrypt allows the use of the * wildcard, but only supports DNS challenge, so the command must reflect that, So when asked for a domain, simply enter *.example.com (or -d ‘*.example.com’), should work normally

As soon as you are in, you will be asked

1- An email for notifications
2- Do you agree to the terms of service ?
3- Would you like to subscribe to the newsletter ?
4- enter your domain names (you should enter both example.com and www.example.com separated by either a comma or a space)
5-

Create a file containing just this data:

Pg1xJ.........-88

And make it available on your web server at this URL:

http://example.com/.well-known/acme-challenge/Pg1...........xuu_0

6- Now you need to create the 2 challenge files, one for exmaple.com and the other for WWW.example.com

Create a file containing just this data:

Ud4m81x..............zupbWEz-88

And make it available on your web server at this URL:

http://www.example.com/.well-known/acme-challenge/Ud4........550

(This must be set up in addition to the previous challenges; do not remove,
replace, or undo the previous challenge tasks yet.)

--------------------------


IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/example.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/example.com/privkey.pem
   Your certificate will expire on 2023-03-11. To obtain a new or
   tweaked version of this certificate in the future, simply run
   certbot again. To non-interactively renew *all* of your
   certificates, run "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

At this stage, there are things you should remain aware of

1- DO NOT RENAME OR MOVE THE CERTIFICATES, they need to be in place for renewal if you decide to not automate and check on your certificates every 3 months.

2- Copy (Don’t move) them to the ssl directory, and add them to your config files, the only files you will need to include in your nginx or apache2 config are as follows

For apache 2, you need to use the following 2 lines, modify the path to the files to wherever you have placed them

      SSLCertificateFile /etc/apache2/ssl/example.com/fullchain.pem
      SSLCertificateKeyFile /etc/apache2/ssl/example.com/privkey.key

And for nginx

        ssl_certificate /etc/nginx/ssl/allspots.com/fullchain.pem;
        ssl_certificate_key /etc/nginx/ssl/allspots.com/privkey.pem;

So, restart apache or nginx, and you should be able to see the certificate in action, so this is the simplest way to use let’s encrypt, in my next post, I will

Self signed wildcard security certificate for apache or nginx

This tutorial is done on a debian 11 system… it should work for wildcard (For all subdomains under a domain), but also for subdomains or the primary domain, obviously, all you need to do is replace the * which denotes wildcard with the subdomain of your choice, so *.qworqs.com is wildcard, yazeed.qworqs.com is a subdomain 😉 so let us get started

Let’s encrypt has certainly revolutionized the world of SSL certificates (By making them free), but when it comes to wildcard certificates, let’s encrypt will require more than just generating the certificate, it will require a system that automatically alters DNS at your registrar, and differs from registrar to registrar.

So while I am developing, and need a wildcard SSL, I can simply generate a self signed wildcard security certificate, and teach my browser to accept it, and that is that, so here is how to generate that certificate !

So let us get started, first let us create a public and private key in one go, and a folder to store them !

cd /etc/ssl
sudo mkdir qworqs.com
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/qworqs.com/wildcard-ss.key -out /etc/ssl/qworqs.com/wildcard-ss.crt

I will personally skip selecting a strong Diffie-Hellman group… this file though goes somewhere else in the nginx directory, and can be generated like the following, but again, I don’t need it atm.

sudo openssl dhparam -out /etc/nginx/dhparam.pem 4096

Now you are done with creating everything you need, the next step is to install them into your nginx configuration

So all you need is to add the following 2 lines into your server section within the website config file 😉

    ssl_certificate /etc/ssl/qworqs.com/wildcard-ss.crt;
    ssl_certificate_key /etc/ssl/qworqs.com/wildcard-ss.key;

Now all you need is to restart nginx, and you should get a warning in your browser, I accept the warning, then make it permanent in firefox from the settings

Settings -> Privacy & Security -> Security -> Certificates -> View Certificates... -> Servers Then switch it from temporary to permanent

And that’s that

Creating a self signed security certificate

This post is very outdated, you might want to check a more recent version of it at (Self signed wildcard security certificate for apache or nginx), even though it says WILDCARD in the title, it clearly shows how to make one that is not a wildcard certificate

It may be true that tutorials teaching you how to create and install a self signed security certificvate are everywhere, this one here i put for my own purposes, because i use this one that i wrote as copy and paste instructions for speed. I added things to explain why we are doing everything

Here we will discuss installing a self signed certificate (Acting as your own certificate authorite) …

If you are not sure if what you need is a self signed certificate or a proper secure certificate signed by a certificate authority, you can see the difference here

In this tutorial, we will install a self signed certificate on a debian squeeze machine. Please keep in mind that 1 certificate can be installed per IP address. If you need to install more certificates for more hosts, please have a look here.

We are sssuming you have apache installed, other web servers have different installation instructions, but the generation procedure remains the same

The steps we will take are

A- get the system ready
B- Create a private key
C- Create a certificate signing request from the private key
D- Create a certificate from the certificate signinig request
E- Install the certificate and the private key
F- Decrypt the private key (Optional)

A- get the system ready

1- Install openssl

On my debian system, this is done with the following command, on other systems, the installer may be different

apt-get install openssl ssl-cert

2- Create a directory we can work in

mkdir /etc/apache2/ssl

B- Create a private key

Creating a private key is as simple as

1- Go to our working directory

cd /etc/apache2/ssl

2- To create a private key, Issue the command

openssl genrsa -des3 -out myprivate.key 4096

A password of your choice is requiered (You must enter it twice).

You will then have a private key in the file myprivate.key

This is the encryption key for your private key, and even though this is an encrypted private key file, this key should never be shared with anyone. Since if you do decrypt it in the optional step below, and if it is ever shared with anyone after it is decrypted, they can create a certificate just like the one we are creating and fool a visitor into thinking they are on the correct website (in case of a man in the middle attack for example).

C- Create a certificate signing request from the private key

The certificate signing request is the file we normally give to a certificate authority so that they can create a certificate for us, but in this case, we are the certificate authority (Self signed certificate), we will therefore create a Certificate Signing request and sign it ourselves

1- To create a file containing the Certificate signing request data, all we need to do is issue the following command

openssl req -new -key myprivate.key -out signingrequest.csr

You will now be asked for (Keep your eyes open for the common name since it is the most important)

* Your Pass Phrase, the one you chose for the private key (To create a request from a private key, we need the decrypt and read the private key)
* Country Code (US), State…, CITY, Organisation Name, Organisation Unit
* Common name, and this is the most important, this is either your domain or sub domain, if it is your domain, do not add WWW and enter example.com if it is a sub domain enter subd.example.com
* A Challenge password of your choice

* Enter anything into the optional company name.

We will now have 2 files in the directory, our private key (myprivate.key) and a certificate signing request (signingrequest.csr), we have 2 passwords, the private key’s encryption password and the signing request’s challenge password

D- Create a certificate from the certificate signinig request

openssl x509 -req -days 3650 -in signingrequest.csr -signkey myprivate.key -out mypublic.crt

Now, you will be asked the the Private Key’s pass phrase, the first password, Again to decrypt the private key so we can create a certificate.

We will now have 3 files in the directory, our private key (myprivate.key) and a certificate signing request (signingrequest.csr), and out certificate file (mypublic.crt)

E- Install the certificate and the private key

At this point, we have a public key (mypublic.crt), and a private key (myprivate.key), we can now install those on apache, and start using our certificate.

To install certificate on apache, we must

1- Enable mod ssl on apache, this is done with the command

a2enmod ssl

2- Make sure Apache is listening on the SSL port (443 by default)

On a debian system, you will need to verify the file ….

3- Fix the host’s config file to use the certificates

How this is done depends on how your system defines websites in apache, The easiest way to do this on a debian system is to copy the file mysite from the /etc/apache2/sites_available folder into a file called mysite_ssl (The mysite file could be called anything like polosite.com.cfg), then open the new file for editing, change the Virtual Host Line at the top to <VirtualHost *:443> (You may also change the 8 with your IP address) then scroll down to the end of the new file, and right before the end of the Virtual Host, add the following lines

<VirtualHost *:443>
...................
...................
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/mypublic.crt
SSLCertificateKeyFile /etc/apache2/ssl/myprivate.key
</VirtualHost>

4- Restart apache server

On a debian system, the apache server is restarted with the command

/etc/init.d/apache2 restart

IMPORTANT: Now, when you restart the apache server, you will be asked for the password you chose when you created your private key, the next step below will make apache not ask for a password, but will also create a risk if your unencrypted key should fall into a malicious user’s hands. Worth mentioning that most websites do decrypt the private key, then make sure it is in a directory only root user can access, again, by default your private key is encrypted, decrypting it means you need to take very good care of it.

F- Decrypt the private key (Optional)

openssl rsa -in myprivate.key -out myprivate.key.insecure
mv myprivate.key myprivate.key.secure
mv myprivate.key.insecure myprivate.key
  

Now, restarting Apache should not ask you for a password

G- Working with browsers

Firefox will allow you to add this certificate to it’s memory, whenever this certificate is presented for this hostname, Your modified Firefox will consider it a valid certificate

Common name example.com is already present in a current certificate

Four days of godaddy SSL hell (starfield technologies certificate)

So, i am not writing this to mock godaddy or godaddy resellers or support, this is just a problem that you need to understand before you call godaddy (or any of their resellers) simply to save time and not to have to wait for 4 days like i did

When i submit my security signing request (csr file) to godaddy or wild west domains, the error i get reads

Common name example.com is already present in a current certificate.

The reason to this is that someone (probably you or a previous owner) already issued a certificate for that domain from another account.

SOLUTION: Certificate, or even expired certificate must be REVOKED, cancelled is not good enough, the magic word is REVOKED, when the certificate expires, you can not revoke it, you must contact support and tell them that you need to revoke it by email.

So, i have not taken the time to organize the text below this line yet, if you are arguing about something in an effort to reduce your wait time, see below for whatever you need, but again, i did not refine any text below this line or organized it or even checked that it is correct.

———————————————————————-

UPDATE: Godaddy wrong again, when i get the time i will listen to the recorded conversation (because my phone auto records all conversations) and tell you exactly what you need to do to not rely on the faulty godaddy manuals, in short this is what happened (as i remember it is close to this)

So, here is what my conversations with godaddy comes down to, not accurately, but in short, what it comes down to (for my reference, the file is godaddy ssl Voice-0003.amr)

But as i start to get skeptical about this resolving itself in a few hours, i will call jet (the very helpful customer care representative) again and see if anything can be done.

Godaddy (Jet): After canceling the certificate, you need to wait for three days
Me: No, i am sure we have to revoke it, and since it is expired, i can not revoke it
Godaddy (Jet): No you are mistaken, after cancelling, we wait for three days then put in a new request
Me: Ok i will wait
I wait for 2 days, then call again as my website is down
Me: are you sure that within 3 days the system will do cleanup, if the job runs once every three days, 2 days increases the odds of what i was saying being right, can you please double check ? my website has been down for two days
Godaddy: no need to check, there is nothing we can do
And after 3 days of still no luck, i call again
Me: hi, i have waited for 3 days
Godaddy (denis): yes sir, for a certificate to get cleared from the system it needs to be revoked, i will have them send you an email so we can revoke it by email.
me: Seriously, that’s what i said 3 days ago
Godaddy (denis): I wonder why they did not do that on the first day
Me: thanx anyways