Free SSL Certificates with SSL For Free
Since Chrome (in version 57) and Firefox are starting to distrust Startcom for SSL, you may need to switch to another certificate authority. In this case we are going to use the LetsEncrypt CA through the sslforfree.com website.
Go to www.sslforfree.com and enter the url you wish to create a certificate for (you will need to already own the domain), before clicking the "Create Free SSL Certificate" button.
For this tutorial, we are going to perform manual verfication by adding DNS records. This is because I want to be able to create certificates for sites in my local dev environment that are not accessible on the public web. Click the Manual Verification (DNS) option.
The section below will appear on the page after you clicked the button in the previous step. Click "Manually Verify Domain".
You will now see a section like below. Click the option "I Have My Own CSR".
Configure Your DNS
Navigate to your DNS configuration interface (in my case I go to my domain registrar, namecheap).
Create a new TXT record with the appropriate name and value that was given to you. For example, the screenshot above shows a name of
_acme-challenge.blog.programster.org so I will enter the host value of
_acme-challenge.blog (because the domain automatically gets appended), and a value of
Generate A CSR
Use the following script to generate a CSR and private key.
#!/bin/bash echo -n "Enter the full site name (e.g. blog.mydomain.org): " read MY_SITE # Set these details accordingly. # These should hardly ever need changing, unlike your URL from above. COUNTRY="UK" STATE="Hampshire" CITY="Basingstoke" COMPANY="Programster Ltd" FQDN="$MY_SITE" PARAMS_STRING="/C=$COUNTRY/ST=$STATE/L=$CITY/O=$COMPANY/CN=$FQDN" openssl req -new -newkey \ rsa:2048 \ -keyout $MY_SITE.key \ -out $MY_SITE.csr \ -subj $PARAMS_STRING echo "" echo "decrypting key" openssl rsa \ -in $MY_SITE.key \ -out $MY_SITE.decrypted.key
.csr file in a text editor and copy the contents into the web form.
Check The TXT Record Has Propagated
Whilst you were generating your CSR, hopefully the TXT record has propagated. Check this by using the command like below:
dig _acme-challenge.blog.programster.org TXT
Use the command below to check against a certain registrars DNS servers. For example, this would check against Namecheap:
dig _acme-challenge.blog.programster.org TXT @dns1.registrar-servers.com
If successful, you should get a response that contains something like below:
;; ANSWER SECTION: _acme-challenge.blog.programster.org. 59 IN TXT "GzfxOlbCtW0la1CgIvpQ_bXW-k3ajPwCCHe_QSoUjHw"
Once you see that the TXT record has propagated, click the
Download SSL Certificate button and you will be shown a page like below:
Copy and paste the certificate and CA Bundle textareas into appropriate files and use them in conjunction with the private key you generated earlier, to set up your Nginx or Apache webserver.