There are multiple ways to get an SSL Certificate for your website. The most used one for non-technical people is buying one from the hosting provider where your website is running. Buying a certificate is not needed when your hosting provider let you import a cert with the cert files.
Contents
SSL certificate using a web interface
NOTE: This option is mostly free for a couple of months, or for 1 request.
Example providers where you can get one are: letsencrypt, sslforfree and zerossl.
SSL certificate using certbot (preffered)
Certbot is a cool tool which you can use to request a free SSL certificate. The certificates are given out from Let’s Encrypt, which are signed by the “Internet Security Research Group”.
How to install certbot?
This tutorial is tested on Ubuntu 22.04.
The recommended way of installing certbot is with snapd. Install snapd and certbot with the following commands:
1 2 3 |
sudo snap install core sudo snap refresh core sudo snap install --classic certbot |
It’s recommended to add certbot to your path, so you can run the command from every folder.
1 |
sudo ln -s /snap/bin/certbot /usr/bin/certbot |
Certbot command options
Useful table with all the cerbot options, with some examples below.
Plugin | Auth | Inst | Notes | Challenge types (and port) |
---|---|---|---|---|
apache | Y | Y | Automates obtaining and installing a certificate with Apache. | http-01 (80) |
nginx | Y | Y | Automates obtaining and installing a certificate with Nginx. | http-01 (80) |
webroot | Y | N | Obtains a certificate by writing to the webroot directory ofan already running webserver. | http-01 (80) |
standalone | Y | N | Uses a “standalone” webserver to obtain a certificate.Requires port 80 to be available. This is useful onsystems with no webserver, or when direct integration withthe local webserver is not supported or not desired. | http-01 (80) |
DNS plugins | Y | N | This category of plugins automates obtaining a certificate bymodifying DNS records to prove you have control over adomain. Doing domain validation in this way isthe only way to obtain wildcard certificates from Let’sEncrypt. | dns-01 (53) |
manual | Y | N | Obtain a certificate by manually following instructions toperform domain validation yourself. Certificates created thisway do not support autorenewal.Autorenewal may be enabled by providing an authenticationhook script to automate the domain validation steps. | http-01 (80) or dns-01 (53) |
Use Certbot to get a free SSL stand-alone certificate
If you want to request a certificate for your website which is running within a hosting provider, you can request a stand-alone certificate and even a wildcard certificate.
Use this command for getting a standalone wildcard domain certificate, for a wildcard certificate you need to be able to add DNS records to your hosting DNS server for the acme challenge:
1 |
sudo certbot certonly --manual -d *.robvit.com -d robvit.com --agree-tos --no-bootstrap --manual-public-ip-logging-ok --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory |
Add the .txt records to the hosting provider’s DNS configuration, which are showed on the next page. Like this example. *Change the TTL to the lowest possible value, so the records will be going true fast.
Wait 5 minutes, to make sure the records are update.
Hit the enter button again to see the path to your new certificates.
Get all your certdata with the following commands:
1 2 3 4 |
sudo cat /etc/letsencrypt/live/robvit.com/privkey.pem sudo cat /etc/letsencrypt/live/robvit.com/fullchain.pem sudo cat /etc/letsencrypt/live/robvit.com/chain.pem sudo cat /etc/letsencrypt/live/robvit.com/cert.pem |
Use certbot to get a free SSL certificate for your local web server
With certbot it is possible to generate certs for your local Apache or Nginx web server.
This is possible when you are using your own web server. Certbot will manage all the configuration for your local web server. Including placing the certificates in the correct paths etc.
1 2 |
sudo certbot --nginx -d example.com -d www.example.com sudo certbot --apache -d example.com -d www.example.com |
To enable auto-renewal:
1 |
sudo certbot renew --dry-run |