intro

SSL Encryption is nowadays a requirement if you want google to see your website, and rate it highly. Virtually all modern & slightly unmodern computers(2000s and forwards) support very fast ssl encryption & decryption. So why not enable ssl encryption?

Today, we’ll learn how to make get a SSL Certificate from Let’s Encrypt to use for your website.

program

You have a lot of choices with what software you could use to obtain a SSL Certificate, but for today I’ll use lego - which is a golang based program…

I use lego mainly cause it’s super portable, it supports windows,linux,macos,*bsd,solaris and many architectures. Configuration is dead-simple, and it’s stable from what I’ve seen so far.

lego install

First, you gotta install lego - you could it via the OS’ package manger(I won’t cover it) or via a binary download from the project page.

binary download

head to lego and fetch an executable based on your host os. I’ll use openbsd, amd64 because my instance is openbsd and it’s 64bit…

afterwards do(as root)

mv "your_lego_filename" lego
chmod +x "lego"
mv "lego" /bin/lego

setup

Second, determine what method you’ll use for verification. Lego supports three methods, [DNS, TLS, HTTP] - I’ll use DNS.

Third, fetch an api key for your dns provider.

You could view the list of supported dns providers from lego’s project page. In-case your dns provider is not supported, you could either migrate dns providers or use a different method of verification.

To fetch the api key, you must search for your dns provider’s way to get an api key. This is not covered by lego, but by the dns provider’s website and other outlets.

In my case, my dns provider is vultr.

vultr api key

Head to vultr dashboard - and click on Account on the left.

vultr dashboard

When you’re in the account section, go to API.

vultr account

Afterwards, enable api if necessary & copy your api key. Also, don’t forget to insert your server’s ipv4 and ipv6 in access control.

Format should be like so:

XXX.XXX.XXX.XXX/32
XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX/128

This part is very important, if you fail this part - lego won’t work.

back to lego

After you fetch’d your api key. Execute the following as root(and replace email & domain & api key):

VULTR_API_KEY="your key here" lego --email="john@example.com" --domains="example.com" --dns run

You should find the certificates in /root/.lego/certificates/{domain}.key & /root/.lego/certificates/{domain}.crt.

Afterwards just assign them to your http server and voilà free ssl 🔒

setting up cron

Since ssl certificates have an expiry date, we need to renew them every couple of months - this behaviour could be automated via cron.

First, look up how to enable cron on your os.

Second, copy paste the old command and replace run with renew. It should look like this:

VULTR_API_KEY="your key here" lego --email="john@example.com" --domains="example.com" --dns renew

Third, type in EDITOR=nano crontab -e and add the following line to the end of file.

30 01 01 */2 * VULTR_API_KEY="your key here" lego --email="john@example.com" --domains="example.com" --dns renew

And finally press Control+X to save the file. Finally reload cron and you’re done.

notes

If you had any problems with the guide, please send me an email