Published on August 15th, 2017 | by Manish Gehlot0
How to obtain a secure Let’s Encrypt signed TLS certificate for your domain name or multiple host names at no cost?
An easy to remember domain name or host name to reach your Linux server is a must and equally significant is a secure TLS certificate to encrypt your communications to and from your Linode Linux server.
Free domain names are available at freenom.com or you can get yourself a hostname from a Dynamic DNS (DDNS) provider like nsupdate.info if you do not require a proper domain name.
Obtain a secure 4096-bit RSA or 384-bit ECDSA TLS certificate for a single domain name or multiple host names from Let’s Encrypt.
- A Linux Server
- Root access or a user account with sudo access to the same
- Very basic understanding of GNU/Linux command line and administration.
- (Optional) Zeal and determination to encrypt the communications.
- A valid domain name or Dynamic DNS host name with its A and/or AAAA record pointing to the above Linux server
This guide has been tested on my favourite Debian Stable (Stretch) but would work equally well on other GNU+Linux distributions including but not limited to Ubuntu, CentOS, Arch, Gentoo, OpenSUSE, Fedora etc with nil or negligible changes.
A. Installing a Let’s Encrypt SSL/TLS certificate client
My choice of client for Let’s Encrypt CA is an ACME Shell script: acme.sh, the simplest, easiest & smartest shell script to obtain free SSL/TLS certificates from Let’s Encrypt. It is vanilla Shell script with zero dependencies on additional packages or even official Let’s Encrypt client. It also has out of the box support for ECDSA certs.
To install acme.sh, do as follows once you have gained root or sudo access:
# wget -O - https://get.acme.sh | sh
# curl https://get.acme.sh | sh
Upon successful installation, you would receive a message as follows on screen:
[Sun Aug 13 12:50:12 EDT 2017] Install success!
Set acme.sh to automatically upgrade, so you don’t have to worry about it later:
# acme.sh --upgrade --auto-upgrade
B. Obtaining a secure TLS certificate for your domain name or multiple host names
Before we issue secure TLS cert(s), make sure Port 80/tcp is open in your Linux server’s firewall and free to listen. If not then do so.
1. 384-bit ECDSA TLS certificate (Recommended because it’s a more secure algorithm at even lower bitrates for starters)
In order to issue a secure ECDSA TLS certificate for your single domain name do as follows:
# acme.sh --issue --standalone -d example.xyz --keylength ec-384
The above command would generate/issue certs which will be placed in ~/.acme.sh/example.xyz_ecc/
SAN certificate (A certificate with multiple host names) is highly advised in most cases.
In order to issue a SAN certificate do as follows:
# acme.sh --issue --standalone -d example.xyz -d www.example.xyz -d clouds.example.xyz -d example.net -d example2.xyz --keylength ec-384
This would issue a single SAN certificate that is valid for all the host names mentioned therein. I recommended SAN cert with multiple host names in every case except when you are using a single host name by DDNS provider.
See, if you only issue a TLS certificate for example.xyz then the issued cert is not valid for www.example.xyz and vice-versa, which is not desirable. Hence, always remember to add www.domain.tld to your TLS certificate along with domain.tld unless otherwise specifically required.
2. 4096-bit RSA TLS certificate
In order to issue a secure RSA TLS certificate for your single domain name do as follows:
# acme.sh --issue --standalone -d example.xyz --keylength 4096
The above command would generate/issue key/cert pair will be placed in ~/.acme.sh/example.xyz/
For SAN certificate:
# acme.sh --issue --standalone -d example.xyz -d www.example.xyz -d clouds.example.xyz -d example.net -d example2.xyz --keylength 4096
3. Running Apache/Nginx already?
If you are running a web server, Apache or Nginx, it is recommended to use the Webroot mode instead of the above Standalone mode. Standalone mode is only recommended when you do not run applications on your Linux server that accommodates Port 80/tcp or 443/tcp actively making it unavailable to listen.
In order to issue a 4096-bit RSA TLS certificate in Apache mode:
# acme.sh --issue --apache -d example.xyz -d www.example.xyz --keylength 4096
To issue a 384-bit ECDSA TLS certificate:
# acme.sh --issue --apache -d example.xyz -d www.example.xyz --keylength ec-384
In order to issue a 4096-bit RSA TLS certificate in Nginx mode:
# acme.sh --issue --nginx -d example.xyz -d www.example.xyz --keylength 4096
To issue a 384-bit ECDSA TLS certificate:
# acme.sh --issue --nginx -d example.xyz -d www.example.xyz --keylength ec-384
C. TLS certificate renewals
Well, It is….. @#$%!
How do I explain? Never mind.
Just forget about manual renewals. hehe.
The beauty of acme.sh is that it automatically handles the domain renewals for you. TLS certs issued will be renewed every 60 days by this free certificate client for Let’s Encrypt.
That being so, if needed you can manually force a renewal as follows:
For RSA certs:
# acme.sh --renew -d example.xyz --force
For ECDSA certs:
# acme.sh --renew -d example.xyz --force --ecc
D. Revoking your TLS certificate and further help
There are times when you might want to revoke your secure TLS certificate.
You can always revoke issued TLS certificate(s) as follows:
# acme.sh --revoke -d example.xyz
# acme.sh --revoke -d example.xyz --ecc
Further help regarding syntax or any other option can be easily obtained from a well-written help file:
# acme.sh -h
Congrats! You have successfully generated a secure ECDSA/RSA TLS certificate for your domain name or multiple host names for free.
Thanks for reading! Suggestions and comments invited.