SSL Certificates have always been an expensive thing. Companies such as Thawte and Verisign charging a ridiculous premium for SSL certificates. However, now thanks to the EFF and the Linux Foundation (both are organisations close to my heart), there is a free solution for people who just need a level of security without being ripped off. The only one difference is that you don’t get the ‘insurance’ that you can get from a purchased SSL certificate.

I present to you Certbot - https://certbot.eff.org/

For certbot to work effectively (this mini tutorial assumes you are using Apache on Ubuntu, and have followed the install instructions at this URL), you need to make sure all your vHost configurations are in separate files. I am unfortunately guilty of creating monolithic configs on my box since it is just used by me for a bunch of projects.

So my example is with my meme creator hosted on 0x.re - the config is pretty standard:

<virtualhost *:80>
ServerName 0x.re
ServerAlias www.0x.re
DocumentRoot /srv/meme
<directory /srv/meme>
AllowOverride All
require all granted
</directory>
</virtualhost>

Nothing exciting, but it does get Laravel working (and Wordpress ditched the indentation), but its in a separate file, and life is peachy. Now it is time to generate the certificate.

To start, you need to run the following command, replacing www.0x.re with your domain name:

$ sudo letsencrypt -d www.0x.re

You will now be given an option.

Screen Shot 2016-06-18 at 08.10.47If like me, you are running HTTP/2 on your server, then I would suggest selecting ‘Secure’ since it will ensure that all traffic is automatically redirected to the secure connection, and you can then take advantage of HTTP/2. Unless you have a real reason for not pushing everything through SSL, I would suggest this.

Screen Shot 2016-06-18 at 08.15.18

You're done! If you visit your site now, you will see you will get directed to the SSL version of the site, and it is secure!

Screen Shot 2016-06-18 at 08.16.41

Digging a little deeper, you will see that Chrome is happy with the situation too:

Screen Shot 2016-06-18 at 08.19.35

One final thing - notice the short lifetime of the certificate? No problem. A simple cronjob can sort this out to keep your certificates fresh:

$ sudo crontab -e

add the line:

* * * * * letsencrypt renew >/dev/null 

If any of the certificates need to be renewed, it will do so automatically, otherwise, it does nothing.

One final thing - the process creates a new vHost file, so if you want to benefit from HTTP/2, I would recommend following this easy tutorial on enabling HTTPS/2