Programster's Blog

Tutorials focusing on Linux, programming, and open source

Free SSL Certificates with SSL For Free

Since Chrome (in version 57) and Firefox are starting to distrust Startcom for SSL, you may need to switch to another certificate authority. In this case we are going to use the LetsEncrypt CA through the sslforfree.com website.

Steps

Go to www.sslforfree.com and enter the url you wish to create a certificate for (you will need to already own the domain), before clicking the "Create Free SSL Certificate" button.

For this tutorial, we are going to perform manual verfication by adding DNS records. This is because I want to be able to create certificates for sites in my local dev environment that are not accessible on the public web. Click the Manual Verification (DNS) option.

The section below will appear on the page after you clicked the button in the previous step. Click "Manually Verify Domain".

You will now see a section like below. Click the option "I Have My Own CSR".

Configure Your DNS

Navigate to your DNS configuration interface (in my case I go to my domain registrar, namecheap).

Create a new TXT record with the appropriate name and value that was given to you. For example, the screenshot above shows a name of _acme-challenge.blog.programster.org so I will enter the host value of _acme-challenge.blog (because the domain automatically gets appended), and a value of GzfxOlbCtW0la1CgIvpQ_bXW-k3ajPwCCHe_QSoUjHw

Generate A CSR

Use the following script to generate a CSR and private key.

#!/bin/bash
echo -n "Enter the full site name (e.g. blog.mydomain.org): "
read MY_SITE

openssl req -new -newkey \
rsa:2048 \
-keyout $MY_SITE.key \
-out $MY_SITE.csr

echo ""
echo "decrypting key"

openssl rsa \
-in $MY_SITE.key \
-out $MY_SITE.decrypted.key

Open the .csr file in a text editor and copy the contents into the web form.

Check The TXT Record Has Propagated

Whilst you were generating your CSR, hopefully the TXT record has propagated. Check this by using the command like below:

dig _acme-challenge.blog.programster.org TXT

Use the command below to check against a certain registrars DNS servers. For example, this would check against Namecheap:

dig _acme-challenge.blog.programster.org TXT @dns1.registrar-servers.com 

If successful, you should get a response that contains something like below:

;; ANSWER SECTION:
_acme-challenge.blog.programster.org. 59 IN TXT "GzfxOlbCtW0la1CgIvpQ_bXW-k3ajPwCCHe_QSoUjHw"

I use this method because using the sit's verify link always came back telling me it couldn't find the TXT record. I think it may be having an issue with subdomains.

Click Submit

Once you see that the TXT record has propagated, click the Download SSL Certificate button and you will be shown a page like below:

Copy and paste the certificate and CA Bundle textareas into appropriate files and use them in conjunction with the private key you generated earlier, to set up your Nginx or Apache webserver.