Using “Let’s Encrypt” Certificate Authority
This tutorial is part of the series on server certificates to secure websites with HTTPS.
- First, we look at how to automate the creation of certificates from your company Certificate Authority (CA) on Windows OS.
- Then we look at how to use free issuer “Let’s Encrypt” to generate the certificate on Windows and Linux.
- Lastly, we will look into setting up a certificate on Kubernetes.
Let’s Encrypt provides free digital certificate generation in an automated way. In addition, it provides a full life cycle certificate management as Automatic Certificate Management Environment (ACME) that automatically re-new the certificate as needed.
Using Let’s Encrypt for Windows IIS
The step below shows the automation of creating digital certificates without having your own Certificate Authority. Instead, we use “Let’s Encrypt” for free.
First, let see how the HTTPS with invalid sites would look like.
The first step is the create HTTPS site binding with any generic certificate. To do this, edit site binding and choose an existing certificate temporarily so you can proceed with clicking OK.
You will see an invalid certificate when browsing using IE with a similar screenshot below.
Here is a screenshot of an invalid certificate when browsing with Chrome.
Now we will set up a process to generate a certificate from Let’s Encrypt. I follow the instruction from Youtube in the reference below. Here are the steps:
- Download the win-acme client from: https://www.win-acme.com/
- Then extract into a permanent directory since the app will create a task scheduler where you run from. Now run the wacs.exe file and choose your site to generate the certificate.
- Then set up site binding to listen to HTTPS
You can look at the scheduled renewal in Task Schedule to verify that it will get renewal when the certificate is about to expire.
Now you should be able to see the secure website from the browser.
Using Let’s Encrypt for Linux
Whether you use Apache or Nginx on any flavor of Linux, Let’s Encrypt has instructions for setting it up. Just go to https://certbot.eff.org/ and choose your app and OS.
Here is a highlight of using Nginx on Ubuntu.
1.Install the certbot and the related python package for nginx
#sudo apt install certbot python3-certbot-nginx2.Run the certbo and specify the nginx
#sudo certbot --nginxThe command will prompt you for email and also determine the DNS for the certificate and output the certificate.
Here is an example output:
It added the SSL portion in the config similar to below:
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/ml.tovnah.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/ml.tovnah.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by CertbotIt will also ask if you want to redirect your HTTP to HTTPS. I choose yes. Then the successful output should look like this:
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — —
Congratulations! You have successfully enabled https://ml.tovnah.comYou should test your configuration at:https://www.ssllabs.com/ssltest/analyze.html?d=yourdomain.com
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — —I tried the test URL and it went into detail on the certificate, protocol, key exchange, and cipher strength. See the output report below.
Note that if the server support TLS 1.1 and 1.0 the grade on the protocol will be B. Those protocols are suggested to be disabled.
The next step is to test the renewal with this command with dry-run to ensure the process is working:
# sudo certbot renew — dry-runYou should see the “Congratulations, all renewals succeeded” message.
Lastly, you need to confirm that there is a cron job that kept checking for certificate expiration and renewal as needed. In my case, I can see it with this command:
# systemctl list-timersYou should see an entry for certbot.timer.
NEXT LEFT LAST PASSED UNIT
Tue 2022–01–04 11:40:29 UTC 17h left n/a n/a certbot.timerNext, we will look into setting up a certificate on Kubernetes.
Relate Notes and References
How to Install Lets Encrypt Certificates on IIS with Autorenew: https://www.youtube.com/watch?v=vbk5kUT7GeY