How to Generate Free SSL by Let’s Encrypt

I attempted to use Certbot by Let’s Encrypt for free SSL certificate for my subdomain using a Docker container but it was never successful, so I left it alone for a while. The DNS service that I use provides SSL certs but it charges me extra for subdomain. There are other services such as SSL for Free but they either limit the number of certificates or they charge for subdomains or they want me to pay like $10 per month for wildcard certificate. That’s pretty steep considering the host is being used only privately. The alternative is to create your own private CA authority and issue SSL cert and have the root CA cert on the machines that you use the hosts.

But this morning, I figured out a way to generate the free SSL cert for my subdomain using Certbot. I will write about what worked for me.

I followed this instruction to install snapd on Ubuntu.

First, remove certbot if installed by apt.

sudo apt-get remove certbot

Install Certbot.

sudo snap install --classic certbot

Prepare the Certbot command.

sudo ln -s /snap/bin/certbot /usr/bin/certbot

Now prepare your NGINX server to accept HTTP traffic for acme challenge.

Edit nginx.conf to accept HTTP (port 80).

   server {
      location / {
          root   /var/www/html;
          index  index.html index.htm;
      }
      listen       80 default_server;
      listen       [::]:80 default_server;
      server_name  _;

If you have the HTTP redirect to HTTPS, comment the line out.

# return 301 https://jenkins.hayato-iriumi.net$request_uri;

Now back to Certbot, execute the following command to start to issue your ssl cert.

sudo certbot certonly -a manual --rsa-key-size 4096 --email hiriumi@gmail.com -d jenkins.hayato-iriumi.net

You will see an output like the following.

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for jenkins.hayato-iriumi.net

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.

Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Create a file containing just this data:

s8wH1u2z00ePejV4hyy4y3CTyW3pYvrFgxwxwsPVdd8.O3THIaz5tgLf8NuxfBYw8FZfrdQNf_Y_1U--J0PsgqQ

And make it available on your web server at this URL:

http://jenkins.hayato-iriumi.net/.well-known/acme-challenge/s8wH1u2z00ePejV4hyy4y3CTyW3pYvrFgxwxwsPVdd8

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue

Now you should create the file with the data specified in the output. Once you have that hit Enter to get the cert generated.

Lastly, when the cert generation is successful, you will see the output like the following.

Now switch to the root user by executing…

sudo -i

The cert files are at /etc/letsencrypt/archive/jenkins.hayato-iriumi.net

Copy cert1.pem and privkey1.pem to the directory where you would like to store your SSL files. In my ssl.conf file, I have specified the cert files like the following.

server {
    server_name jenkins.hayato-iriumi.net;
    listen 443 ssl;
    ssl_certificate /etc/nginx/conf.d/ssl/cert1.pem;
    ssl_certificate_key /etc/nginx/conf.d/ssl/privkey1.pem;
    client_max_body_size 3000m;

Now unc0mment the line in ssl.conf to redirect HTTP to HTTPS traffic. Once you restart your NGINX, NGINX starts to service the traffic in SSL.

I’m sure there are ways to automate this and I am thinking of exploring the way to do it but it works well for now.

Author: admin

A software engineer in greater Seattle area

Leave a Reply

Your email address will not be published. Required fields are marked *