Securing your web applications and websites with valid SSL/TLS certificates is essential for ensuring the privacy and security of user data. Let's Encrypt, a free and open certificate authority, provides an easy and automated way to obtain and manage SSL/TLS certificates. In this blog post, we will guide you through the process of creating a DNS validation server certificate using Let's Encrypt and Certbot.
Step 1: Add an A Record
Before obtaining a certificate, you need to have a root domain (e.g, mydomain.com) registered. Choose a DNS registrar and log in to your account. Create an A record for the application under your domain (e.g., myapp.mydomain.com).
Step 2: Install Certbot
Certbot is a popular Let's Encrypt client developed by the Electronic Frontier Foundation (EFF). It simplifies the process of obtaining and managing certificates. Install Certbot on your server by following these steps:
sudo apt-get update
sudo snap install core; sudo snap refresh core
sudo snap install --classic certbot
sudo ln -s /snap/bin/certbot /usr/bin/certbot
sudo certbot --version
Step 3: Create Certificates
Certbot provides various methods for domain validation and certificate retrieval. We will use Certbot's standalone mode, which runs a built-in web server to handle the validation process. Follow these steps to obtain your certificate:
- Make sure port 80 is open in your firewall to allow Let's Encrypt to verify your domain:
sudo ufw allow 80
- Run the following Certbot command to obtain the certificate:
sudo certbot certonly --standalone --preferred-challenges http -d [domain-name]
Replace [domain-name] with your domain name (e.g., myapp.mydomain.com).
Note: By default, certbot creates all relevant certs files under /etc/letsencrypt/live/[domain-name]
Step 4: Convert PEM to P12 Format
To use the certificate in certain environments or platforms that require the P12 format, you need to convert the certificate from PEM to P12. Use the following OpenSSL command:
sudo openssl pkcs12 -export -out /path_to_store_p12_file/server.p12 -in /etc/letsencrypt/live/[domain-name]/fullchain.pem -inkey /etc/letsencrypt/live/[domain-name]/privkey.pem -passin pass: -passout pass:
Step 5: Set Up Auto Renewal
Let's Encrypt certificates have a validity period of 90 days. To ensure uninterrupted service, set up a cron job to automatically renew your certificates. Follow these steps:
- Delete the default Certbot cron job:
grep certbot /etc/cron.*/*
sudo rm -rf /etc/cron.d/certbot
grep certbot /etc/cron.*/*
sudo service cron reload
sudo systemctl restart cron.service
- Edit the Certbot renewal configuration file:
sudo nano /etc/letsencrypt/renewal/[domain-name].conf
- Update the file to add
renew_hookparameter which should convert PEM to P12, replace the old certificate and restart the application (Please modify it as per your need) :
[renewalparams]
account = db23cbfd3bb32421da493553c16b78de
pref_challs = http-01,
authenticator = standalone
server = https://acme-v02.api.letsencrypt.org/directory
renew_hook = openssl pkcs12 -export -out /path_to_store_p12_file/server.p12 -in /etc/letsencrypt/live/[domain-name]/fullchain.pem -inkey /etc/letsencrypt/live/[domain-name]/privkey.pem -passin pass: -passout pass: && systemctl restart myapp
- Create an override file for the Certbot timer:
sudo systemctl edit snap.certbot.renew.timer
- Add the following content to the new file, specify the cron time when cerbot should check the expiration of the certificate:
[Timer]
OnCalendar=
OnCalendar=Tue *-*-* 15:30
- Restart the necessary services:
sudo systemctl daemon-reload
sudo systemctl restart snap.certbot.renew.timer
sudo systemctl restart snap.certbot.renew.service
Conclusion:
By following these steps, you can easily create a DNS validation server certificate using Let's Encrypt and Certbot. The automated renewal process ensures that your certificates remain valid and up-to-date. Securing your web applications and websites has never been easier, thanks to Let's Encrypt's free and open certificate authority.
Remember to check the provided log files for any issues or errors. Please refer below commands:
# For current logs
sudo cat /var/log/letsencrypt/letsencrypt.log
# For older logs
sudo zcat /var/log/letsencrypt/letsencrypt.log.1.gz.
Hope you like my very first post.
Happy securing!
Top comments (0)