24th July 2018, Google has released Chrome 68, giving the entire web a push towards secure and encrypted HTTPS connections by marking all websites that do not use the secure HTTPS encryption as ‘Not Secure,’ even if they don’t handle sensitive data, communications, or information.

6 Reasons Why You Should Enable HTTPS On Your Website

• HTTPS improves Google rankings and SEO
• HTTPS improves website security and privacy
• HTTPS increases credibility and improves customer confidence
• HTTPS improves website speed, as HTTP2 is faster than HTTP
• HTTPS makes surfing over public Wi-Fi safer
• HTTPS is now free!

Before we continuing this tutorial, assuming we have this configuration;

OS: CentOS/RHEL 7
Web server: NGINX
AWS EC2 or Local machine

Step 1:

Log on https://certbot.eff.org/ . Choose configuration as per your specific requirement. In this tutorial, we will be using NGINX on CentOS7

Step 2: Download dependencies

$ sudo yum -y install epel-release

Step 3: Install certbot

Install certbot

$ sudo yum -y install certbot

Follow this https://stackoverflow.com/a/54352917 [If any errors]

Step 4 (1.a) : specific domain

Installing certificates with your website URL

$ sudo certbot certonly --standalone -d your.websiteurl.com 

Step 4 (1.b) : for all subdomains / wildcard

$ sudo certbot certonly --manual --preferred-challenges=dns --agree-tos --server https://acme-v02.api.letsencrypt.org/directory -d *.websiteurl.com

Step 4 (2): Authenticate The Domain’s Ownership

For wildcard certificates, the only challenge method Let’s Encrypt accepts is the DNS challenge, which we can invoke via the preferred-challenges=dns flag.

After executing the above command, the Certbot will share a text record to add to your DNS.

Please deploy a DNS TXT record under the name
_acme-challenge.erpnext.xyz with the following value:J50GNXkhGmKCfn-0LQJcknVGtPEAQ_U_WajcLXgqWqo

Record Name: _acme-challenge
Record Value: J50GNXkhGmKCfn-0LQJcknVGtPEAQ_U_WajcLXgqWqo

Create TXT record via DNS console and setup key and value

Immediately you will be prompted to enter valid email id at the terminal. Provide valid email id(you will be later contacted soon by Certbot tech team)

PS: nanogram.io URL used in the above image. Instead, you will be having your own website URL directory path.

If you are having issue during above command,
Problem binding to port 80: Could not bind to IPv4 or IPv6.
Resolve it by stopping applications, whichever running on 80 port.

Step 5:

Check the status of your installed certificate

[only for AWS EC2 users]

at Step 4:

Make sure your EC2 IP(current instance, where you are installing CertBot), is added in your domain registrar provider as A / AAA name record.

If it is improperly configured you will be receiving an error as below

Step 6: Take a backup of your certificates

$ cp -r /etc/letsencrypt/ /home/ec2-user/$ tar czf letsencrypt.tar.bz letsencrypt/

Step 7: To download letsencrypt.tar.bz archived file to the local directory: follow my blog

https://medium.com/@dearsikandarkhan/files-copying-between-aws-ec2-and-local-d07ed205eefa

Step 8: Renew your domain certificates

Let’sEncrypt certificates comes with 90 days expiry period. As expiry date approaches, you will be notified by Let’sEncrpyt via mail. Perform below-mentioned commands,

$ sudo certbot renew --dry-run$ certbot renew

For renewing wildcard domains you need to do in this way, follow link https://dev.to/nabbisen/let-s-encrypt-renew-wildcard-certificate-manually-with-certbot-1jp

References:

https://medium.com/@dearsikandarkhan/ssl-godaddy-csr-create-on-mac-osx-4401c47fd94c

https://certbot.eff.org/lets-encrypt/centosrhel7-nginx

https://www.youtube.com/watch?v=d4QDyHLHZ9c

Happy exploration!