certbot certonly --webroot --agree-tos --expand -w /path/to/your/domain/public/dir/ -d yourdomain.name,www.yourdomain.name
I know 2 popular ways to get free ssl certificate:
Let's Encrypt -- non-commercial organization, that gives certificates, valid 90 days.
Special program called
certbot is required. One can get it from github or install from you distro's repositories.
Next step: requesting certificate itself. Call the command from top of the post with root privileges. Must edit path and domain name first.
Output should be like this:
Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator webroot, Installer None Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org Obtaining a new certificate Performing the following challenges: http-01 challenge for sarafan.guru Using the webroot path /path/to/your/domain/public/dir/ for all unmatched domains. Waiting for verification... Cleaning up challenges IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/yourdomain.name/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/yourdomain.name/privkey.pem Your cert will expire on 2019-00-00. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
If everythig is ok, you should have files
Add these into
nginx config. The certificate is ready.
Important, given that certificate is for 3 months only, letsencrypt recommends to update in monthly. To achieve this add into root crontab next task:
#letsencrypt MANUAL 20 20 * * * certbot renew >/dev/null 2>&1
cloudflare.com -- cloud service, that provides services such as CDN, DDOS-protection, DNS and the ssl certificates.
It is much easier to plug in, no need to update every month, but ns-server change needed and traffic will go through cloudflare.
If there is access to domain administration, I`d prefer cloudflare over letsencrypt: setup is faster, a lot of features out of the box. Beside that, it is possible to explain someone how to add certificate to his website using phone call. You can`t do the trick with letsencrypt. However, cloudflare is complex solution. If the task is just "switch to https", letsencrypt seems a better option. Also, it is quite ease to automate certbot usage.