Create Free SSL Certificates on MacOS Using Let’s Encrypt

Tl;dr

In this post I will show you how to obtain a free SSL certificate from Let’s Encrypt using MacOS and Certbot. Thereafter, you can install the certificate on your website using cPanel, Plesk, Webmin etc.

Introduction

These days it is a de facto requirement to serve your website over HTTPS using an SSL certificate. Why? If your site doesn’t use HTTPS, most browsers show a warning to users, your SEO might be negatively affected (more info) and you expose your users to security issues that are easy to prevent (e.g man-in-the-middle attacks). So, just use an SSL certificate and avoid all these problems.

However, you usually have to pay money to a company like AWS, Godaddy etc in order to get a certificate from a well-known certificate authority. Luckily, Let’s Encrypt is an organization that issues SSL certificates for free to the public, and they are reputable. They were created by the Internet Security Research Group (with members like Chrome, Mozilla, Cisco, the Bill and Melinda Gates Foundation etc) and aim to facilitate an Internet where all websites communicate over HTTPS even if the site’s owner does not have money to buy SSL certificates on a recurring basis.

Getting a certificate: your options

Broadly speaking, you can use Let’s Encrypt to generate certificates in three ways:

• Using the automated system that your hosting company provides: There are hosting companies that enable you to add certificates from Let’s Encrypt by default. They include Squarespace, OVHCloud, Dreamhost etc and you can find the full list here. However, but I don’t know if they all give you a certificate for free. So if they don’t, let’s see your second option. It is guaranteed to give you one for free.
• Configuring your server to use Let’s Encrypt to generate and auto-renew certificates: This option works for many server+operating system combos. Once set up, you can essentially get certificates for free for ever. Check out this page to see if this is available for your server+operating system combo. You mostly need to SSH into your server, run some commands, and that’s it. However if this won’t work for you, no worries, there still is a solution for you.
• Generating a certificate by yourself and installing it on your server: You can use your Mac to get an SSL certificate issued by Let’s Encrypt then install it on your website. That is what this post is focused on, so I will outline the required step.

Required

• A computer running MacOS.
• A reliable internet connection.
• Some level of comfort with running commands in a terminal (called a command prompt in Windows).
• Homebrew: this is software that helps you install other software on a Mac. You can find instructions for installing it here.

Manually creating a free SSL certificate

• Open a terminal: press Cmd + Space, search for “terminal.app” and click the application called “Terminal”.
• Install certbot: use Homebrew to install cerbot by running the following command in a terminal:
  
  brew install certbot
  
  If the command fails with an error that there is “no formula, cask or GitHub repo with a name like ‘certbot'” no worries. You can solve that by uninstalling Homebrew, installing it again and then trying the above command again.
• Create a directory for Let’s Encrypt to save to: Create a directory in a location you like (e.g in your home directory, your Desktop directory etc) and give it a name you want. Let’s say we want to use YOUR_HOME_DIR/lets-encrypt. We can create the said directory by running this command:
  
  mkdir ~/lets-encrypt
  
  Later, you will tell Let’s Encrypt to save its output in this directory. Otherwise, Let’s Encrypt will write to /etc/letsencrypt, and you may not have the permissions needed to access some of the contents in that location. (NB: on Linux/Unix-like/MacOS computers, the ~ symbol (the tilde) is shorthand for the home directory of the current user.)
• You will have to prove that you own the domain: Before getting an SSL certificate for a domain, you need to prove to Let’s Encrypt that you own it. To do this, you need to solve a “challenge”. That is, do something that you would not be able to do if you didn’t own the domain and have admin access to it. You can do this by either uploading a file to a specific path on your server (called the HTTP challenge) or you need to add a certain DNS record to your domain (called the DNS challenge). I think the HTTP challenge is easier. I also think it should be faster for Let’s Encrypt’s servers to notice to it since DNS changes might take a while to propagate. So proceed below.
• Tell certbot you want a free SSL certificate: Enter this command to run certbot and start the process for getting a certificate:
  
  certbot certonly --manual --key-type rsa --preferred-challenges=http --config-dir ~/lets-encrypt --work-dir ~/lets-encrypt --logs-dir ~/lets-encrypt
  
  Also, note that Certbot now defaults to generating ECDSA certificates. So use the --key-type rsa flag to make it generate RSA certificates instead.
  
  If you prefer the DNS challenge, use --preferred-challenges=dns. For details about all the options given to the command above, check this documentation.
• [OPTIONAL] Provide an email address for renewal alerts: Let’s Encrypt can send you reminders when your certificate is about to expire, so it will ask for an email address it can reach you on. This is not required but I strongly recommend that you supply a valid and active email address of yours.
• Specify the domains you want a certificate for: certbot will ask you to supply a comma-separated list of the domains that you need a certificate for. (NB: one certificate will be issued for all of the domains you list. If you want multiple certificates, you need to run certbot multiple times.) Let’s say your domains are "hackmylinux.com, mail.hackmylinux.com, www.hackmylinux.com". Supply them as a comma-separated list and press Enter.
• Solve the HTTP challenge: Next, certbot will generate some file names and file contents for you to make available from the root of your domain by placing the files in some directory, usually YOUR_SERVER/.well-known/SOME_DIR. Follow the instructions it provides and at the end you should be able to open your-domain.com/SOME_FILE_NAME in a browser.
  For example, let’s say you are using cPanelo to File Manager >> the "public_html" directory >> the ".well-known" directory and put the files there. If you can’t see .well-known, click Settings in the top right of File Manager and tick Show Hidden Files (dotfiles).
• Obtain your SSL certificate: When certbot succeeds, it will generate a certificate and private key that it will save at ~/lets-encrypt/live/hackmylinux.com/fullchain.pem and ~/lets-encrypt/live/hackmylinux.com/privkey.pem respectively. Proceed to install those on your server and that’s all!
• PRO TIP: You can use the command below to specify your email, the domains you want certificates for and your consent to the Terms of Service all as part of the initial command:
  
  certbot certonly \
--manual \
--key-type rsa \
--email <YOUR_EMAIL_ADDRESS> \
-d "<YOUR_DOMAINS_IN_A_COMMA_SEPARATED_LIST>" \
--agree-tos \
--preferred-challenges=http \
--config-dir ~/lets-encrypt \
--work-dir ~/lets-encrypt \
--logs-dir ~/lets-encrypt
  

Conclusion

Generating a free SSL certificate using Let’s Encrypt and certbot is easy. Once you do it once or twice, you will be comfortable with it all. Other servers and operating systems even make the certificate generation and renewal process way easier, possibly even automated. (See here.) The only drawback to creating a certificate on MacOS is that their certificate only lasts 3 months. Nonetheless, if you now have a free and reliable way to generate certificates for your website until you are ready start paying for some.

If you have any comments, questions or suggestions, please let me know in the comments section below.

Enkosi ngokufunda!

PS: Guess where we got the SSL certificate we are using for Hack My Linux?