Internet

Published on August 15th, 2017 | by Manish Gehlot

0

How to obtain a secure Let’s Encrypt signed TLS certificate for your domain name or multiple host names at no cost?

An easy to remember domain name or host name to reach your Linux server is a must and equally significant is a secure TLS certificate to encrypt your communications to and from your Linode Linux server.

Free domain names are available at freenom.com or you can get yourself a hostname from a Dynamic DNS (DDNS) provider like nsupdate.info if you do not require a proper domain name.

Mission:

Obtain a secure 4096-bit RSA or 384-bit ECDSA TLS certificate for a single domain name or multiple host names from Let’s Encrypt.

Prerequisites:

  • A Linux Server
  • Root access or a user account with sudo access to the same
  • Very basic understanding of GNU/Linux command line and administration.
  • (Optional) Zeal and determination to encrypt the communications.
  • A valid domain name or Dynamic DNS host name with its A and/or AAAA record pointing to the above Linux server

This guide has been tested on my favourite Debian Stable (Stretch) but would work equally well on other GNU+Linux distributions including but not limited to Ubuntu, CentOS, Arch, Gentoo, OpenSUSE, Fedora etc with nil or negligible changes.

Let’s roll.

A. Installing a Let’s Encrypt SSL/TLS certificate client

My choice of client for Let’s Encrypt CA is an ACME Shell script: acme.sh, the simplest, easiest & smartest shell script to obtain free SSL/TLS certificates from Let’s Encrypt. It is vanilla Shell script with zero dependencies on additional packages or even official Let’s Encrypt client. It also has out of the box support for ECDSA certs.

To install acme.sh, do as follows once you have gained root or sudo access:

or

Upon successful installation, you would receive a message as follows on screen:

Set acme.sh to automatically upgrade, so you don’t have to worry about it later:

B. Obtaining a secure TLS certificate for your domain name or multiple host names

Before we issue secure TLS cert(s), make sure Port 80/tcp is open in your Linux server’s firewall and free to listen. If not then do so.

1. 384-bit ECDSA TLS certificate (Recommended because it’s a more secure algorithm at even lower bitrates for starters)

In order to issue a secure ECDSA TLS certificate for your single domain name do as follows:

The above command would generate/issue certs which will be placed in ~/.acme.sh/example.xyz_ecc/

SAN certificate (A certificate with multiple host names) is highly advised in most cases.

In order to issue a SAN certificate do as follows:

This would issue a single SAN certificate that is valid for all the host names mentioned therein. I recommended SAN cert with multiple host names in every case except when you are using a single host name by DDNS provider.

See, if you only issue a TLS certificate for example.xyz then the issued cert is not valid for www.example.xyz and vice-versa, which is not desirable. Hence, always remember to add www.domain.tld to your TLS certificate along with domain.tld unless otherwise specifically required.

2. 4096-bit RSA TLS certificate

In order to issue a secure RSA TLS certificate for your single domain name do as follows:

The above command would generate/issue key/cert pair will be placed in ~/.acme.sh/example.xyz/

For SAN certificate:

3. Running Apache/Nginx already?

If you are running a web server, Apache or Nginx, it is recommended to use the Webroot mode instead of the above Standalone mode. Standalone mode is only recommended when you do not run applications on your Linux server that accommodates Port 80/tcp or 443/tcp actively making it unavailable to listen.

Apache mode

In order to issue a 4096-bit RSA TLS certificate in Apache mode:

To issue a 384-bit ECDSA TLS certificate:

Nginx mode

In order to issue a 4096-bit RSA TLS certificate in Nginx mode:

To issue a 384-bit ECDSA TLS certificate:

C. TLS certificate renewals

Well, It is….. @#$%!
Uhmm…
How do I explain? Never mind.

Just forget about manual renewals. hehe.

The beauty of acme.sh is that it automatically handles the domain renewals for you. TLS certs issued will be renewed every 60 days by this free certificate client for Let’s Encrypt.

That being so, if needed you can manually force a renewal as follows:

For RSA certs:

For ECDSA certs:

D. Revoking your TLS certificate and further help

There are times when you might want to revoke your secure TLS certificate.

You can always revoke issued TLS certificate(s) as follows:

For RSA:

For ECDSA:

Further help regarding syntax or any other option can be easily obtained from a well-written help file:


Congrats! You have successfully generated a secure ECDSA/RSA TLS certificate for your domain name or multiple host names for free.

Thanks for reading! Suggestions and comments invited.

Like this post? Share with your friends.
Share on Facebook2Tweet about this on TwitterShare on Google+0Share on LinkedIn0Share on Reddit0Share on Tumblr0Share on VKEmail this to someone

Tags: , , , , , , , , , , ,


About the Author



Leave a Reply

Your email address will not be published. Required fields are marked *

Back to Top ↑
  • Software We Love

  • Latest posts

  • Advertisement

  • Browse by category

  • Recent comments

  • Advertisement

  • Subscribe to updates

    You can get the latest posts from Techno FAQ delivered to you via Email or RSS.

    Enter your email address:

  • Subscribe to our RSS feed
  • Forum activity

  • Find us on Facebook

  • Latest tweets

  • Support us

    If you find our content useful, you can support our activities by making a small donation.

    Bitcoin: 18ykfpxGUymmLoyuZ7hNHXg6zoQmEgsrvJ

    Ethereum: 0xcD9A6f858A235f9001DA612F43e12ff29CD1b53D

    PayPal (except India):

    Instamojo ( payments):

  • Advertisement