Setup of a ssl certificate with let’s encrypt

For users, no SSL shows as "http://" in front of a website address, and with SSL it shows as "https://"

"https" means that the connection between the user and the website is encrypted. It is useful for:

Let’s Encrypt is a product launched in 2015 by the Electronic Frontier Foundation (EFF) providing SSL certification for free, and made easy.

The "certbot" is the EFF’s latest package to let your server use let’s encrypt capabilities.

So, let’s install the certbot:

In this file, add a line deb http://ftp.debian.org/debian jessie-backports main

Then:

Then:

→ in the interactive window, choose "standalone". Follow the instructions.

That’s it. Certificates get installed at:

Certificates expire after 90 days, so renewing them manually and regularly is a pain.

Thanks to certbot, they will renew themselves automatically, you don’t need to add any script. Just check that it indeed works:

(this will not renew them, but just simulate the action)

This command is useful because you may realize that your port 443 needs to be open for the renewal to succeed. With Nginx or another reverse proxy running, 443 is already in use so the the renewal will fail.

Solution for nginx:

Add the following line:

@monthly certbot renew --pre-hook "sudo systemctl stop nginx" --post-hook "sudo systemctl start nginx"

This will test every month the need to renew certificates. Only when there is a need, nginx will be stopped before then restarted after the operation.

Author of this tutorial: Clement Levallois

All resources on linux security: https://seinecle.github.io/linux-security-tutorials/