Getting SSL certificate with "Let's encrypt"
“Let’s encrypt” is an automated certification center providing SSL certificates.
To get a certificate for a domain, a requester should prove that he owns that domain. Confirmation works as follows: a certbot application is installed on a domain’s website’s server. This application downloads a certain file (check file) from the Let’s encrypt’s server. Bot application creates a .well-known directory inside the web server’s directory and puts the check file inside it.
At the second stage of the confirmation process, Let’s encrypt downloads the check file from the domain of the server it’s checking. If the file is available, Let’s encrypt compares its name and contents with its own check file. If it’s OK, Let’s encrypt sends 3 SSL certificates and a file which includes a private key. Refer to this page for details.
To finish certificate configuring, access the management console of your site’s server and install certbot app. For installation guide refer to the official web site.
Select your web server and OS your site is running on. There are special plugins for Apache and Nginx exist which enable to perform installation in interactive mode. We were not able to get certificates using the plugins that’s why we recommend to employ webroot method. Refer to this online guide for details.
For the purpose of this guide we’ve installed Apache server on Azure virtual machine. The Apache includes virtual host for certbot to place the check file. Then we used the following command:
sudo certbot certonly --webroot -w /etc/httpd/www -d ineedcertfromletsencrypt.tk
to request and get SSL certificates for ineedcertfromletsencrypt.tk domain. It is a free domain registered for the purpose of this instruction. /etc/httpd/www in the command’s line is a path to the virtual host directory.
Regardless of what web server you’re using for your domain, there are some important conditions for getting the certificates.
- The web server should listen to the ports 80 and 443
- Access to the host contents should be open. It is requires to access with the URL of the following format: http://domainname.com/.wellknown/checkfile where domainname is the name of domain you need to receive a certificate for, and checkfile is a name of testing file.
- Certbot should be authorized for writing reading in the
/.well-knownfolder and for creating subdirectories within the folder (.well-known to be exact).
If you’ve fulfilled all the conditions and the certification process ended successfully, you will find your certificates inside the /etc/letsencrypt/archive/
Important note: you might fail when trying to get a certificate for subdomain because Let’s encrypt works with the top level domain only. Thus we tried to get a certificate for letsencrypt.westus.cloudapp.azure.com domain but Let’s encrypt replied that we’ve exceeded the certificates limit for azure.com domain. That’s why we’ve registered a free domain ineedcertfromletsencrypt.tk ansd made a redirect to letsencrypt.westus.cloudapp.azure.com.