Get free certificates from "Let's Encrypt"
What is “Let’s Encrypt”?
Let’s Encrypt is a free, automated, and open Certificate Authority.
You can get a certificate (a type of file) from Let’s Encrypt(CA). However in order to get a certificate for your website’s domain from Let’s Encrypt, you have to demonstrate control over the domain.
For detail, refer to the Let’s Encrypt official website.
How to use “Let’s Encrypt”?
Let’s Encrypt offers some method to get a certificate.
Here is an example of the method that uses client software of Let’s Encrypt.
What’s Required?
1. You need a domain. Here, as an example, domain is “example.brekeke.com“.
2. Access to TCP port 80 from Internet.
3. Web server runs with http protocol (TCP 80). In this example, you need to put any files under the “http://example.brekeke.com/” directory.
4. Install certbot. you can get from here (https://certbot.eff.org/) . Here, as an example, the certbot is installed into “/usr/local/bin/” directory.
Steps
Step 1. Log in web server with SSH
Step 2. Execute the following command to run a Certbot client with Manual option
# sudo /usr/local/bin/certbot-auto certonly --manual -d [Domain] -m [mail address]
# sudo /usr/local/bin/certbot-auto certonly --manual -d example.brekeke.com -m mail@brekeke.com
# sudo /usr/local/bin/certbot-auto certonly --key-type ecdsa --manual -d example.brekeke.com -m mail@brekeke.com
The dialog with TUI (Text User Interface) will be displayed.
Step 3. When the message “Are you OK with your IP being logged?” is displayed in the dialog, select “yes“.
Like the following example, The file and content that are needed for authentication are displayed.
Make sure your web server displays the following content at
http://example.brekeke.com/.well-known/acme-challenge/6BpLwE3bboPLg2XWIqDYA-ogAQMSaud9BTwMWrU92yw before continuing: 6BpLwE3bboPLg2XWIqDYA-ogAQMSaud9BTwMWrU92yw.-nf-U8XW0o296xhGfELwQ2f3yCHBpwG-r6dCBelhPLs
*Do NOT press the enter key even though the “Press ENTER to continue” message is shown.
Step 4. Copy the following displayed content and paste into a file.
Then put the file under the specified directory of the Web server.
In this example:
URL: http://example.brekeke.com/.well-known/acme-challenge/6BpLwE3bboPLg2XWIqDYA-ogAQMSaud9BTwMWrU92yw Content: 6BpLwE3bboPLg2XWIqDYA-ogAQMSaud9BTwMWrU92yw.-nf-U8XW0o296xhGfELwQ2f3yCHBpwG-r6dCBelhPLs
Step 5. Check whether the file can be shown via internet with the URL(http://example.brekeke.com/.well-known/acme-challenge/6BpLwE3bboPLg2XWIqDYA-ogAQMSaud9BTwMWrU92yw).
Step 6. Press Enter key at the screen that shows “Press ENTER to continue” message.
Let’s Encrypt accesses to the address for authentication.
Step 7. If the following message appears, The process to get a certificate is completed.
Conguratulations! ...
Step 8. The certificate files are stored under the “/etc/letsencrypt/live/[Domain]/” directory.
- Server certificate (public key) : cert.pem
- Intermediate certificate : chain.pem
- A file combining server certificate and intermediate certificate : fullchain.pem
- Private key : privkey.pem
Step 9. Close TCP Port 80 that you opened for authentication procedure.
Example: Converting the certificate files to the keystore (JKS) format that is used by Tomcat.
openssl pkcs12 -export -in cert.pem -inkey privkey.pem -certfile chain.pem -out pkcs12.pfx -passout pass:changeit keytool -importkeystore -srckeystore pkcs12.pfx -srcstoretype PKCS12 -srcstorepass changeit -destkeystore .keystore -deststoretype JKS -deststorepass changeit