How to add a Free SSL certificate on your webserver without self signing

December 31, 2016 - 22:03

If you are looking to move your website from an http protocol to https protocol then you don't necessarily have to go for a paid SSL certificate. You could use the certificate provided by Let's Encrypt, which is a valid certifying authority. Here is a high level outline of what you should do to set up https on your webserver. We have documented how you should do it for nginx but a similar approach should work for other webservers as well.

You will have to first install the certbot from https://certbot.eff.org/ to download certificates from letsencrypt.org. Certbot will automatically detect webservers and install certificates for latest versions of the operating systems. If you are using an unsupported operating system you can use the certonly and --standalone options to download the certificates to /etc/letsencrypt/live. You can then configure the webserver manually.

If you are using nginx then you will have to set up the following section inside the server block inside the nginx configuration

    ssl_certificate     /etc/letsencrypt/live/www.example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/www.example.com/privkey.pem;
    ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers         HIGH:!aNULL:!MD5;


You might also want to forward the http version of the site to the https version keeping the URLs by adding something like

    server {
        listen 80;
        server_name www.example.com;
        return 301 https://$server_name$request_uri;
    }

You will also need to configure a cron job to renew the certificate as the certificates issued by Let's Encrypt expires in 90 days. You can set up a cronjob with something like the following

0 0 */25 * * /opt/certbot/certbot-auto renew --standalone --quiet --no-self-upgrade --pre-hook "service nginx stop" --post-hook "service nginx start"

That is it. You are all set to use a certificate from Let's Encrypt on your webserver. Let’s Encrypt is a free, automated, and open certificate authority (CA), run for the public’s benefit. It is a service provided by the Internet Security Research Group (ISRG). If you like the service, consider donating to Let's Encrypt.

Post your comments / questions