If you want to enable Let's Encrypt (letsencrypt) certificate with EFF's certbot, the steps are very simple and you can enable https in minutes. Remember that you need to renew the certificate every 90 days.
Here are the steps to enable HTTPS on your website with EFF's certbot that deploys Let's Encrypt certificates.
1. Go to the webpage https://certbot.eff.org/ and select your webserver (Apache/Nginx etc) and OS (CentOs , Ubunut etc). It will give you the steps you need to follow to install the package.
2. If you have CentOS7 and nginx on your server, you can follow the following steps (copied from https://certbot.eff.org/ ):
- Install Certbot by running command: yum install certbot-nginx
- If you want to install certificates for domain example.com and subdomain m.example.com, create a folder '.well-known' inside folder public_html and another folder 'acme-challenge' inside '.well-known'. Also, create these folders inside the directory that points to the subdomain. Make sure the permission of these folders is 755.
- If you want certbot update your nginx config file, run certbot --nginx , otherwise run certbot --nginx certonly and make changes yourself. I prefer to make changes in the configuation files myself because I do not want certbot to mess my config files.
- You will be asked some basic questions after your run command certbot --nginx certonly
- Enter email address (used for urgent renewal and security notices) (Enter 'c' to cancel):
- Accept the TOS
- Would you be willing to share your email address with the Electronic Frontier Foundation?
- Which names would you like to activate HTTPS for? Select the numbers given on the terminal against each of your domains and hit ENTER.
- If everything goes well, you will see the following messages on the terminal:
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for example.com
http-01 challenge for m.example.com
http-01 challenge for ofrcdn.example.com
http-01 challenge for www.example.com
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/example.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/example.com/privkey.pem
3. Now you need to modify the configuration files present in folder /etc/nginx/conf.d. Change the port number from 80 to 443 on line 'listen yourserverip:80' and then add the following lines after 'listen yourserverip:443'
ssl on;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
ssl_prefer_server_ciphers on;
The configuration file should look like the following:
server {
listen yourserverip:443;
ssl on;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
ssl_prefer_server_ciphers on;
4. Restart Nginx and Apache and you are all set.
5. To renew the certificate, run the command certbot renew
