Preface

• Preface
  • Prerequisites
  • Installation
  • Creation of the certificate
  • Using the certificate
    • Nginx
    • Apache

This documentation explains how to generate a generic SSL certificate using Let's Encrypt (certbot). The certificate can thus be used by any application.

Prerequisites

The domain name for which the certificate will be created must have a DNS type A record to the public IP address of the server.

For this example, the domain name example-certbot.org will be used.

Installation

On most Linux distributions, installing the certbot package is enough:

# Debian like
apt-get install certbot

# Redhat like
dnf install certbot

Creation of the certificate

The certificate is created from the certbot command:

certbot certonly --standalone --agree-tos -d example-certbot.org --no-eff-email --email [email protected]

The output of the command should look like this:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Account registered.
Requesting a certificate for example-certbot.org
Performing the following challenges:
http-01 challenge for example-certbot.org
Waiting for verification ...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/example-certbot.org/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/example-certbot.org/privkey.pem
   Your certificate will expire on 2022-02-28. To obtain a new or
   tweaked version of this certificate in the future, simply run
   certbot again. To non-interactively renew * all * of your
   certificates, run "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
   Donating to EFF: https://eff.org/donate-le

The certificate has been generated successfully. The files are available in the /etc/letsencrypt/live/example-certbot.org/ directory where the certificates and the private key are located.

The private key is, as the name suggests, private. It must not be communicated to anyone or even be on any public medium (FTP, USB key, etc.).

It is now possible to use the certificate for any application.

Using the certificate

Nginx

On Nginx, the following directives must be added on the vhost corresponding to the domain name example-certbot.org:

listen 443 ssl;

ssl_certificate /etc/letsencrypt/live/example-certbot.org/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example-certbot.org/privkey.pem;

Apache

On Apache, the following directives must be added to the vhost corresponding to the domain name example-certbot.org:

SSLCertificateFile /etc/letsencrypt/live/example-certbot.org/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example-certbot.org/privkey.pem