Ferouze's Blog

Get your SSL certificates for free - Let's Encrypt & Certbot

Get your SSL certificates for free - Let's Encrypt & Certbot

Ferouze's photo
Ferouze
·

5 min read

I own a domain named say mydomain.com registered with namecheap.com without any SSL certificate. Long story short, I needed an SSL certificate for creating a personal project using Azure Application Gateway.

This uses HTTPS and I did not have a SSL certificate to play around with.

In this blog let us see how anyone with a valid domain registered and access to modify its DNS entries can get a SSL certificate for free using Let's Encrypt and Certbot.

You need,

  1. Windows Subsystem for Linux or any Linux machine terminal

  2. Access to your DNS hosting (To confirm your control over the domain)

Install certbot:

Open your terminal and enter the below command to install certbot tool

sudo apt install certbot

Create a wild card certificate and enter your information:

sudo certbot certonly --manual --preferred-challenges dns -d "*.mydomain.com"

Once this step is completed, you will be prompted to enter details like email and to accept the terms.

sudo apt install certbot
sudo certbot certonly --manual --preferred-challenges dns -d "*.mydomain.com"

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): myemail@gmail.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.3-September-21-2022.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: A

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: N
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for mydomain.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for mydomain.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.

Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.mydomain.com with the following value:

lxNfg4eGnu2yxLI8t62uRXXXXXGlEV4

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
Waiting for verification...
Cleaning up challenges

Once you enter the email and accept the terms, you will be presented with a DNS TXT record which you must add to your DNS hosting to verify that you own the domain.

Please deploy a DNS TXT record under the name
_acme-challenge.mydomain.com with the following value:

lxNfg4eGnu2yxLI8t62jZmEbHa3CMCSkuRXXXXXGlEV4

Verify that your TXT record is propagated by using some tools like MXToolbox and choose the TXT verification.

Once this is done, proceed with the prompts on the terminal and you will receive the good news.


IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/mydomain.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/mydomain.com/privkey.pem
   Your cert will expire on 2023-09-16. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

All of your certificates will be saved in the path /etc/letsencrypt/live/mydomain.com
1. README
2. cert.pem
3. chain.pem
4. fullchain.pem
5. privkey.pem

Now that we have our certificates ready, let us create a pfx file which is required for my Azure Application Gateway using OpenSSL tool.

openssl pkcs12 -export -out mydomain.pfx -inkey /etc/letsencrypt/live/mydomain.com/privkey.pem -in /etc/letsencrypt/live/mydomain.com/cert.pem

-export -out -> exports as pfx
-inkey -> input the private key which in my case is privkey.pem
-in -> input the certificate which is cert.pem

Once you enter the above command you have to enter the export password 2 times for the pfx file.

Thats it. You have your own valid SSL certificate. Note that this certificate is valid for 90 days only and you can renew it using the same certbot tool.

SSL CertificatehttpsSSL/TLSTLS