How to get free SSL Certificates

Ben Lee
April 6, 2017

I recently discovered a free service that can provide SSL certificates. It’s called Let’s Encrypt and in the correct use cases, it’s a great tool to have in your developer’s arsenal.
At this point, I should point out a few things worth knowing.

  • The certificate has a life of 90 days but you can renew it
  • You can’t get a wildcard certificate
  • I struggled with getting this to work in Windows environment so I’d personally recommend this only if you are using Linux. If you are in Windows and need short term access to an SSL certificate I would suggest you get a free 90-day certificate from Comodo instead
  • It only works if your HTTP server is exposed to the internet
  • AWS provide a free service to take care of this if you are using and Elastic Load Balancer or Amazon CloudFront

For this tutorial, I’ll go through the steps of getting a certificate and using it on your Apache 2.0 HTTP server.

Prerequisites for this are:

  • AWS EC2 with Ubuntu AMI on a T2.nano or bigger instance
  • You have setup the network & security groups for global HTTP/HTTPS access
  • You have registered your server in domain name

Setup Steps:

SSH onto your server and run the following commands
To make lifer easier run all your commands as a root

sudo su

Install Apache 2.0 Web Server and start it

apt-get install apache2
service apache2 start

Install the Certbot agent used to get the certificate

add-apt-repository ppa:certbot/certbot
apt-get update
apt-get install python-certbot-apache

Get your certificate. Replace  <YOUR_FDQN_HERE> with your server’s fully qualified domain name eg

certbot --debug -v certonly -d <YOUR_FDQN_HERE>

When presented with the below options chose 2

How would you like to authenticate with the ACME CA?
1: Apache Web Server plugin - Beta (apache)
2: Place files in webroot directory (webroot)
3: Spin up a temporary webserver (standalone)

When promoted for a new webroot  enter 1 then the value /var/www/html

When the script completes you will get a confirmation that looks like the one below

- Congratulations! Your certificate and chain have been saved at
Your cert will expire on 2017-07-04. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"

The next step is to configure Apache. Create the following file /etc/apache2/sites-available/<YOUR_FDQN_HERE>.conf and insert the following text. Change the values in bold to something appropriate

<VirtualHost *:443>
ServerAdmin <youractual@email.address>
DocumentRoot /var/www/html
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/<YOUR_FDQN_HERE>/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/<YOUR_FDQN_HERE>/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/<YOUR_FDQN_HERE>/fullchain.pem

Next, run the following commands

a2enmod ssl
a2ensite <YOUR_FDQN_HERE>
service apache2 restart

Test your website works at this time by going here https://<YOUR_FDQN_HERE>/
The final step is the setup a scheduled job to auto renew the SSL certificate. My example runs once every second month at 3:30 am

crontab -e

Insert the following line into the file then save and exit

30 03 01 */2 * certbot renew

That’s all that needs to be done.
All the code, all the fun – Ben

Ben writes blogs on the technical side of BI, the code, all the code and not much other than the code.

Connect with Ben on LinkedIn or read some of his other blogs here.

Copyright © 2019 OptimalBI LTD.