Certbot provides a number of options for fetching certificates, validating your domain, and automatically configuring Apache and Nginx. In this article, we'll talk about securing other services, such as a mail server or a message broker like RabbitMQ, using Certbot's standalone mode.
Prerequisites
You'll need these things before starting this tutorial:
* A server running Ubuntu 20.04 with a basic firewall configuration, a non-root user, and sudo enabled.
* A domain that leads to your server. By following our Domains and DNS instructions, you can achieve this using a DigitalOcean Droplet. Your_domain will be used throughout this course.
* Your server must not be using ports 80 or 443. Use a different mode, such as Certbot's webroot mode, if the service you're trying to secure is on a system with a web server that uses both ports.
Step 1 — Installing Certbot
Use of Certbot's snap package is advised for installation. Nearly all Linux distributions support snap packages, but in order to handle ‘snap’ packages, ‘snapd’ must first be installed making sure your ‘snapd’ core is up to date is a good place to start because Ubuntu 20.04 supports ‘snapd’ out of the box.
$ sudo snap install core: sudo snap refresh core
Before continuing, you should uninstall any earlier versions of certbot if you're working on a server that previously had them installed:
$ sudo apt remove certbot
You may next set up the certbot package:
$ sudo snap install --classic certbot
In order to run the certbot command, all you need to do is type certbot; you may do this by linking the command from the snap install directory to your path. While it's not necessary for all packages, snaps typically have less intrusive default settings, so they don't mistakenly conflict with any other system packages.
$ sudo ln -s /snap/bin/certbot /usr/bin/certbot
Let's run Certbot to obtain our certificate now that it has been installed.
Step - 2 RUNNING CERTBOT
The Let's Encrypt API has issued a cryptographic challenge that Certbot must respond to in order to demonstrate our domain ownership. This is done by using ports 443 or 80 for HTTP or HTTPS, respectively. The proper firewall port(s) should be opened:
$ sudo ufw allow 443
Output
Rule added
Rule added (v6)
Certbot may now be used to generate our certificate. To instruct Certbot to handle the challenge using a built-in web server, we'll use the --standalone option. Finally, the domain for which you are requesting a certificate is specified using the -d flag. To cover many domains with one certificate, add multiple-d options.
$ sudo certbot certonly --standalone -d your_domain
When you execute the command, you will be prompted for your email address and a confirmation that you have read and agree to the terms of service. The process should then be successful, and you should receive a notification letting you know where your certificates are kept.
Output
IMPORTANT NOTES:
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/your_domain/fullchain.pem
Key is saved at: /etc/letsencrypt/live/your_domain/privkey.pem
This certificate expires on 2022-02-10.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.
You should now possess your credentials. The following step will involve looking over some of the downloaded files to understand how they work.
Step - 3 CONFIGURING YOUR APPLICATION
As each application has various requirements and settings possibilities, configuring your application for SSL is outside the purview of this post. However, let's look at what Certbot has downloaded for us. To list the directory containing our keys and certificates, use ls:
sudo ls /etc/letsencrypt/live/your_domain
And the output will be
Output
cert.pem chain.pem fullchain.pem privkey.pem README
More details about these files can be found in the README file located in this directory. Typically, only two of these files are required:
1. privkey.pem:
This file contains the certificate's private key. The majority of the /etc/letsencrypt directory has extremely strict permissions and is only accessible by the root user since this information needs to be kept secure and private. This is typically referred to as something like ssl-certificate-key or ssl-certificate-key-file in programme configuration.
2. fullchain.pem:
Included with all of the intermediate certificates is our certificate. The majority of software will use this file to store the actual certificate and will use the name 'ssl-certificate' to refer to it in their configuration.
In this article, we installed the Certbot Let's Encrypt client and used standalone mode to download an SSL certificate. The use of Let's Encrypt certificates with services other than your regular web server should now be a suitable place to start for you.