Free ssl certificate

TLDR:

certbot certonly --webroot --agree-tos --expand -w /path/to/your/domain/public/dir/ -d yourdomain.name,www.yourdomain.name

I know 2 popular ways to get free ssl certificate:

1.Letsencrypt

Let's Encrypt -- non-commercial organization, that gives certificates, valid 90 days. Special program called certbot is required. One can get it from github or install from you distro's repositories. Next step: requesting certificate itself. Call the command from top of the post with root privileges. Must edit path and domain name first. Output should be like this:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for sarafan.guru
Using the webroot path /path/to/your/domain/public/dir/ for all unmatched domains.
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/yourdomain.name/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/yourdomain.name/privkey.pem
   Your cert will expire on 2019-00-00. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

If everythig is ok, you should have files /etc/letsencrypt/live/yourdomain.name/fullchain.pem and /etc/letsencrypt/live/yourdomain.name/privkey.pem. Add these into nginx config. The certificate is ready.

Important, given that certificate is for 3 months only, letsencrypt recommends to update in monthly. To achieve this add into root crontab next task:


#letsencrypt MANUAL
20 20 * * *     certbot renew >/dev/null 2>&1

2.Cloudflare

cloudflare.com -- cloud service, that provides services such as CDN, DDOS-protection, DNS and the ssl certificates.

It is much easier to plug in, no need to update every month, but ns-server change needed and traffic will go through cloudflare.

Conclusion

If there is access to domain administration, I`d prefer cloudflare over letsencrypt: setup is faster, a lot of features out of the box. Beside that, it is possible to explain someone how to add certificate to his website using phone call. You can`t do the trick with letsencrypt. However, cloudflare is complex solution. If the task is just "switch to https", letsencrypt seems a better option. Also, it is quite ease to automate certbot usage.

published 2019-03-26 13dagger