24 08
How to install a ssl certificate
Your site is considered insecure, you need a certificate but you do not want to spend money
Let's Encrypt is a certification authority that automates the creation, validation, release and renewal of X.509 certificates for the TLS protocol for free. The Let's Encrypt client is free software. The list of certificates issued is public.
Install
Since it doesn't seem like your operating system has a packaged version of Certbot, you should use our certbot-auto script to get a copy:
wget https://dl.eff.org/certbot-auto chmod a+x certbot-auto
certbot-auto accepts the same flags as certbot; it installs all of its own dependencies and updates the client code automatically.
Certbot's DNS plugins which can be used to automate obtaining a wildcard certificate from Let's Encrypt's ACMEv2 server are not available for your OS yet. This should change soon but if you don't want to wait, you can use these plugins now by running Certbot in Docker instead of using the instructions on this page.
Get Started
Certbot has a fairly solid beta-quality Apache plugin, which is supported on many platforms, and automates certificate installation.
$ sudo ./path/to/certbot-auto --apache
Running this command will get a certificate for you and have Certbot edit your Apache configuration automatically to serve it. If you're feeling more conservative and would like to make the changes to your Apache configuration by hand, you can use the certonly subcommand:
$ sudo ./path/to/certbot-auto --apache certonlyTo learn more about how to use Certbot read our documentation.
Automating renewal
Certbot can be configured to renew your certificates automatically before they expire. Since Let's Encrypt certificates last for 90 days, it's highly advisable to take advantage of this feature. You can test automatic renewal for your certificates by running this command:
$ sudo ./path/to/certbot-auto renew --dry-runIf that appears to be working correctly, you can arrange for automatic renewal by adding a cron job or systemd timer which runs the following:
./path/to/certbot-auto renew
Note:
if you're setting up a cron or systemd job, we recommend running it twice per day (it won't do anything until your certificates are due for renewal or revoked, but running it regularly would give your site a chance of staying online in case a Let's Encrypt-initiated revocation happened for some reason). Please select a random minute within the hour for your renewal tasks.
An example cron job might look like this, which will run at noon and midnight every day:
0 0,12 * * * python -c 'import random; import time; time.sleep(random.random() * 3600)' && ./path/to/certbot-auto renew
More detailed information and options about renewal can be found in the full documentation.