24th July 2018, Google has released Chrome 68, giving the entire web a push towards secure and encrypted HTTPS connections by marking all websites that do not use the secure HTTPS encryption as ‘Not Secure,’ even if they don’t handle sensitive data, communications, or information.
6 Reasons Why You Should Enable HTTPS On Your Website
- HTTPS improves Google rankings and SEO
- HTTPS improves website security and privacy
- HTTPS increases credibility and improves customer confidence
- HTTPS improves website speed, as HTTP2 is faster than HTTP
- HTTPS makes surfing over public Wi-Fi safer
- HTTPS is now free!
Before we continuing this tutorial, assuming we have this configuration;
OS: CentOS/RHEL 7
Web server: NGINX
AWS EC2 or Local machine
Log on https://certbot.eff.org/ . Choose configuration as per your specific requirement. In this tutorial, we will be using NGINX on CentOS7
Step 2: Download dependencies
$ sudo yum -y install epel-release
Step 3: Install certbot
$ sudo yum -y install certbot
Follow this https://stackoverflow.com/a/54352917 [If any errors]
Step 4 (1.a) : specific domain
Installing certificates with your website URL
$ sudo certbot certonly --standalone -d your.websiteurl.com
Step 4 (1.b) : for all subdomains / wildcard
$ sudo certbot certonly --manual --preferred-challenges=dns --agree-tos --server https://acme-v02.api.letsencrypt.org/directory -d *.websiteurl.com
Step 4 (2): Authenticate The Domain’s Ownership
For wildcard certificates, the only challenge method Let’s Encrypt accepts is the DNS challenge, which we can invoke via the preferred-challenges=dns flag.
After executing the above command, the Certbot will share a text record to add to your DNS.
Please deploy a DNS TXT record under the name
_acme-challenge.erpnext.xyz with the following value:J50GNXkhGmKCfn-0LQJcknVGtPEAQ_U_WajcLXgqWqo
Record Name: _acme-challenge
Record Value: J50GNXkhGmKCfn-0LQJcknVGtPEAQ_U_WajcLXgqWqo
Create TXT record via DNS console and setup key and value
Immediately you will be prompted to enter valid email id at the terminal. Provide valid email id(you will be later contacted soon by Certbot tech team)
PS: nanogram.io URL used in the above image. Instead, you will be having your own website URL directory path.
If you are having issue during above command,
Problem binding to port 80: Could not bind to IPv4 or IPv6.
Resolve it by stopping applications, whichever running on 80 port.
Check the status of your installed certificate
[only for AWS EC2 users]
at Step 4:
Make sure your EC2 IP(current instance, where you are installing CertBot), is added in your domain registrar provider as A / AAA name record.
If it is improperly configured you will be receiving an error as below
Step 6: Take a backup of your certificates
$ cp -r /etc/letsencrypt/ /home/ec2-user/$ tar czf letsencrypt.tar.bz letsencrypt/
Step 7: To download letsencrypt.tar.bz archived file to the local directory: follow my blog
Step 8: Renew your domain certificates
Let’sEncrypt certificates comes with 90 days expiry period. As expiry date approaches, you will be notified by Let’sEncrpyt via mail. Perform below-mentioned commands,
$ sudo certbot renew --dry-run$ certbot renew
For renewing wildcard domains you need to do in this way, follow link https://dev.to/nabbisen/let-s-encrypt-renew-wildcard-certificate-manually-with-certbot-1jp