Tl;dr
In this post I will show you how to obtain a free SSL certificate from Let’s Encrypt using MacOS and Certbot. Thereafter, you can install the certificate on your website using cPanel, Plesk, Webmin etc.
Introduction
These days it is a de facto requirement to serve your website over HTTPS using an SSL certificate. Why? If your site doesn’t use HTTPS, most browsers show a warning to users, your SEO might be negatively affected (more info) and you expose your users to security issues that are easy to prevent (e.g man-in-the-middle attacks). So, just use an SSL certificate and avoid all these problems.
However, you usually have to pay money to a company like AWS, Godaddy etc in order to get a certificate from a well-known certificate authority. Luckily, Let’s Encrypt is an organization that issues SSL certificates for free to the public, and they are reputable. They were created by the Internet Security Research Group (with members like Chrome, Mozilla, Cisco, the Bill and Melinda Gates Foundation etc) and aim to facilitate an Internet where all websites communicate over HTTPS even if the site’s owner does not have money to buy SSL certificates on a recurring basis.
Getting a certificate: your options
Broadly speaking, you can use Let’s Encrypt to generate certificates in three ways:
- Using the automated system that your hosting company provides: There are hosting companies that enable you to add certificates from Let’s Encrypt by default. They include Squarespace, OVHCloud, Dreamhost etc and you can find the full list here. However, but I don’t know if they all give you a certificate for free. So if they don’t, let’s see your second option. It is guaranteed to give you one for free.
- Configuring your server to use Let’s Encrypt to generate and auto-renew certificates: This option works for many server+operating system combos. Once set up, you can essentially get certificates for free for ever. Check out this page to see if this is available for your server+operating system combo. You mostly need to SSH into your server, run some commands, and that’s it. However if this won’t work for you, no worries, there still is a solution for you.
- Generating a certificate by yourself and installing it on your server: You can use your Mac to get an SSL certificate issued by Let’s Encrypt then install it on your website. That is what this post is focused on, so I will outline the required step.
Required
- A computer running MacOS.
- A reliable internet connection.
- Some level of comfort with running commands in a terminal (called a command prompt in Windows).
- Homebrew: this is software that helps you install other software on a Mac. You can find instructions for installing it here.
Manually creating a free SSL certificate
- Open a terminal: press
Cmd + Space
, search for “terminal.app” and click the application called “Terminal”. - Install certbot: use Homebrew to install cerbot by running the following command in a terminal:
brew install certbot
If the command fails with an error that there is “no formula, cask or GitHub repo with a name like ‘certbot'” no worries. You can solve that by uninstalling Homebrew, installing it again and then trying the above command again. - Create a directory for Let’s Encrypt to save to: Create a directory in a location you like (e.g in your home directory, your Desktop directory etc) and give it a name you want. Let’s say we want to use
YOUR_HOME_DIR/lets-encrypt
. We can create the said directory by running this command:mkdir ~/lets-encrypt
Later, you will tell Let’s Encrypt to save its output in this directory. Otherwise, Let’s Encrypt will write to/etc/letsencrypt
, and you may not have the permissions needed to access some of the contents in that location. (NB: on Linux/Unix-like/MacOS computers, the~
symbol (the tilde) is shorthand for the home directory of the current user.) - You will have to prove that you own the domain: Before getting an SSL certificate for a domain, you need to prove to Let’s Encrypt that you own it. To do this, you need to solve a “challenge”. That is, do something that you would not be able to do if you didn’t own the domain and have admin access to it. You can do this by either uploading a file to a specific path on your server (called the HTTP challenge) or you need to add a certain DNS record to your domain (called the DNS challenge). I think the HTTP challenge is easier. I also think it should be faster for Let’s Encrypt’s servers to notice to it since DNS changes might take a while to propagate. So proceed below.
- Tell certbot you want a free SSL certificate: Enter this command to run certbot and start the process for getting a certificate:
certbot certonly --manual --key-type rsa --preferred-challenges=http --config-dir ~/lets-encrypt --work-dir ~/lets-encrypt --logs-dir ~/lets-encrypt
Also, note that Certbot now defaults to generating ECDSA certificates. So use the--key-type rsa
flag to make it generate RSA certificates instead.
If you prefer the DNS challenge, use--preferred-challenges=dns
. For details about all the options given to the command above, check this documentation. - [OPTIONAL] Provide an email address for renewal alerts: Let’s Encrypt can send you reminders when your certificate is about to expire, so it will ask for an email address it can reach you on. This is not required but I strongly recommend that you supply a valid and active email address of yours.
- Specify the domains you want a certificate for: certbot will ask you to supply a comma-separated list of the domains that you need a certificate for. (NB: one certificate will be issued for all of the domains you list. If you want multiple certificates, you need to run certbot multiple times.) Let’s say your domains are
"hackmylinux.com, mail.hackmylinux.com, www.hackmylinux.com"
. Supply them as a comma-separated list and pressEnter
. - Solve the HTTP challenge: Next, certbot will generate some file names and file contents for you to make available from the root of your domain by placing the files in some directory, usually
YOUR_SERVER/.well-known/SOME_DIR
. Follow the instructions it provides and at the end you should be able to openyour-domain.com/SOME_FILE_NAME
in a browser.
For example, let’s say you are using cPanelo toFile Manager >> the "public_html" directory >> the ".well-known" directory
and put the files there. If you can’t see.well-known
, click Settings in the top right of File Manager and tickShow Hidden Files (dotfiles)
. - Obtain your SSL certificate: When certbot succeeds, it will generate a certificate and private key that it will save at
~/lets-encrypt/live/hackmylinux.com/fullchain.pem
and~/lets-encrypt/live/hackmylinux.com/privkey.pem
respectively. Proceed to install those on your server and that’s all! - PRO TIP: You can use the command below to specify your email, the domains you want certificates for and your consent to the Terms of Service all as part of the initial command:
certbot certonly \
--manual \
--key-type rsa \
--email <YOUR_EMAIL_ADDRESS> \
-d "<YOUR_DOMAINS_IN_A_COMMA_SEPARATED_LIST>" \
--agree-tos \
--preferred-challenges=http \
--config-dir ~/lets-encrypt \
--work-dir ~/lets-encrypt \
--logs-dir ~/lets-encrypt
Conclusion
Generating a free SSL certificate using Let’s Encrypt and certbot is easy. Once you do it once or twice, you will be comfortable with it all. Other servers and operating systems even make the certificate generation and renewal process way easier, possibly even automated. (See here.) The only drawback to creating a certificate on MacOS is that their certificate only lasts 3 months. Nonetheless, if you now have a free and reliable way to generate certificates for your website until you are ready start paying for some.
If you have any comments, questions or suggestions, please let me know in the comments section below.
PS: Guess where we got the SSL certificate we are using for Hack My Linux?
Great tutorial, thx. The only thing which is troublesome is the need for manual renew every few monts. Is there a way to make it automatic?
Hi Ron.
Thanks for your compliments. And I’m sorry for the delayed response.
Some server software have a way to automatically update the SSL certificate every few months. Those are listed by Certbot below:
https://certbot.eff.org/instructions
For example if you set the server options to say you are running on “nginx” and “Ubuntu 20”, you’ll be shown instructions for setting up Certbot to install and auto-renew an SSL certificate for you.
I hope that helps.
Best regards,
Folusho.
Well, everything worked for me up until the last sentence: “Proceed to install those on your server.” When I drag the private key file (the real file, not the alias) into the “add server” box in OS Server, it tells me it doesn’t understand the format. It doesn’t reject the fullchain file, but lodges it under “extra non-identity certificates” rather than “your public certificate,” same as it does with the remaining two files.
My OS Server is running on a 2011 Mini running Sierra, the last OS that Server (calendars) will run under. After fighting for hours with brew, which no longer works on Sierra, I generated the keys by using a more modern Mac but pointing the certificate process to the genuine server machine. After six hours of fighting, so close, and yet so far!
Do you have any advice for me?
The folks at Let’s Encrypt diagnosed my problem overnight.
Mac OS Server is too old to accept the default SCDSA certificates — one has to specify “–key-type rsa” in the command line, then it eats them right up.
Thanks for posting these instructions, they were a great cookbook resource.
You’re very welcome Macs R We. Glad to help. As a matter of fact I will update some of the commands used in this tutorial because it seems that the default type of key generated by Certbot is no longer RSA but seems to be ECDSA. I’ll add the flag that makes it behave as expected.