Free SSL certs

No more excuses for HTTP traffic websites.

Big corps (including PayPal, Google and lastly the WordPress) have announced that they will require hosts to have SSL (or HTTPS) available for certain services, APIs, webhooks and OAuth.
First of all I assume, your site is perfectly loading via and you are on a private network (that means you are the only owner of the IP you are using).

Install the certbot client

Go to this website and simply select your operating system and the web-server client. Follow the steps to install certbot-auto. In my case, I used the following couple lines.

chmod a+x certbot-auto

And the next you need a very simple config.ini file, I put mine under /etc/letsencrypt/config.ini, it includes following. Don’t forget to change “” to your email address.
rsa-key-size = 4096
email =
Our certificate client ready, this will allow us to install and update the certificate.

Create the SSL certificate

Go to the directory where you installed your certbot-auto client. And simply run the following commands. Don’t forget to change to your domain name (and of course the directory of the files)

certbot-auto certonly --webroot -w /var/www/html/domain1 -d -d -w /var/www/html/domain1/sub -d --config /etc/letsencrypt/config.ini --agree-tos --keep
certbot-auto certonly --webroot -w /var/www/html/domain2 -d -d -w /var/www/html/domain2/sub -d --config /etc/letsencrypt/config.ini --agree-tos --keep

You can run the code above for your other domains/subdomains similarly.

If everything goes smoothly (hopefully, it will). It will generate the certificate files under /etc/letsencrypt/live/ and /etc/letsencrypt/live/ we will use them in the next step.

Attach them to your domain

Now edit your ssl configuration file at /etc/httpd/conf.d/ssl.conf. And copy the below code for each domain/subdomain.

<VirtualHost *:443>
    DocumentRoot "/var/www/html/domain1"
    SSLEngine on
    SSLCertificateFile /etc/letsencrypt/live/
    SSLCertificateKeyFile /etc/letsencrypt/live/
    SSLCertificateChainFile /etc/letsencrypt/live/
    SSLProtocol All -SSLv2 -SSLv3
    SSLHonorCipherOrder on

Let’s automate it to renew after 90 days

SSLs generated by Let’s Encrypt is valid only for 90 days. You need to renew the certificate before it expires so there is no downtime through your HTTPS traffic. I use crontab for this using the code below.

0 0 1 * * /var/www/
And my looks like this…
# Renew Let's Encrypt SSL cert
/opt/letsencrypt/letsencrypt-auto renew --config /etc/letsencrypt/config.ini --agree-tos

if [ $? -ne 0 ]
        ERRORLOG=`tail /var/log/letsencrypt/letsencrypt.log`
        echo -e "The Lets Encrypt Cert has not been renewed! \n \n" $ERRORLOG | mail -s "Lets Encrypt Cert Alert" "FIX IT! :)"
        service httpd reload
exit 0

Please note that we piped the result to a very well known mail command. So you get notification if it fails to renew. Feel free to change the script the way you want it. And do not forget to comment below if you find this post useful ?

Leave a Reply

Your email address will not be published. Required fields are marked *