Free certificates? Let’s encrypt!
How to use Let’s encrypt
First at all, ensure your system is accessible from the Internet. For instance, your.domain is accesible at X.X.X.X publicly, so configure your DNS or, if you do not have a DNS provider, register your host at coddns
You need to install certbot utility from Let’s Encrypt
# Centos, Fedora # Enable epel repositories dnf install epel-release # Install certbot dnf install certbot # Debian, Ubuntu apt-get update && apt-get install certbot
After having installed the certbot utility, you can execute following command to get your Let’s encrypt certificate for your.domain
# To generate certificates only and place them # in /etc/letsencrypt/live/your.domain/ Run: certbot certonly --standalone -d your.domain
This command will generate following output:
# certbot certonly --standalone -d coddns.org Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator standalone, Installer None Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org Obtaining a new certificate Performing the following challenges: http-01 challenge for your.domain Waiting for verification… Cleaning up challenges IMPORTANT NOTES: Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/your.domain/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/your.domain/privkey.pem Your cert will expire on 2020-04-20. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew all of your certificates, run "certbot renew" If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
What am I seeing? At a lower level, Let’s encrypt will connect to our PC on port 80, checking the content of a random generated file. If the connection is established and the content of the file matches some kind of Let’s Encrypt algorithms, then the host is validated and the certificates generated.
So, now, you can use your new valid certificate to encrypt your favorite service, for instance, postfix.
Having your services protected under a valid certificate have never be so easy.