If you are not familiar with letsencrypt.org, please check out the site for more information. You can look them up here.
The quick answer is that they issue SSL certificates for free.
We are not going to cover the installation of VirtualBox or Ubuntu Linux Server other than to say it will be easier to use PuTTY if you enable SSH on your Ubuntu server by default.
- You will need to login to your Ubuntu server and verify the version (see image below). You will use the command: lsb_release -a
- We will want to make sure that the system is update, as well. You will use the command: sudo apt-get update and sudo apt-get upgrade
- You will need to say YES or type Y if asked if it is okay to download (see image below).
Once the installation of any/all updates has completed, reboot your system. Use the command: sudo reboot
After the reboot, we will need to install the certbot client. To do this, we use the command: sudo apt-get install letsencrypt
You will need to say YES or type Y if asked if it is okay to download
Make a directory in your home directory called webroot to all information in. This is an optional step, but done to collect any files or logs.
Once the letsencrypt.org client, certbot, is installed, we can start to get our certificates generated and downloaded.
For this example, we will use the server name le.the-internet-guy.com. We will generate and download certificates for that domain.
Use the command: sudo letsencrypt certonly -w /home/sysadmin/webroot -d le.the-internet-guy.com --manual
- You will prompted for an email address to link the certificate to (see image below). Enter your email address and hit enter.
You will need to accept the terms and conditions assocated with using the letsencrypt.org service (see image below). Tab to Agree and hit enter.
- You will be asked if it is okay to have your IP address logged (see image below). I've always clicked YES, but click NO if you like (I'm not sure what will happen).
- You will then be brought to a page with a large amount of text on it. We are looking for a few key things... the file name and the file contents we need to respond to the challenge (see image below). In our case, we need to make a file called "MUn9u7p8OUxNPwBWXq6HFE1VKxXIULbLzFtGoKQY-1w" with the contents "MUn9u7p8OUxNPwBWXq6HFE1VKxXIULbLzFtGoKQY-1w.Qes-_dxYv3xLpPUGZ-15BoGXNUVu5LzlVk22-KUuuh0".
On your Windows Server, you will need to run Notepad, Wordpad or Notepad++ and create this file. You will need to save it in the root of your web site under the folder ".well-known/acme-challenge". So, in this example, I need to create the file on my server so that http://le.the-internet-guy.com/.well-known/acme-challenge/MUn9u7p8OUxNPwBWXq6HFE1VKxXIULbLzFtGoKQY-1w will respond with MUn9u7p8OUxNPwBWXq6HFE1VKxXIULbLzFtGoKQY-1w.Qes-_dxYv3xLpPUGZ-15BoGXNUVu5LzlVk22-KUuuh0
Once that file is created and the contents of that file are entered (use copy/paste to save time) you can click ENTER.
If you have entered everything right, you will see a congratulations (see image below).
So, at this point, we have now generated the files cert.pem, chain.pem, fullchain.pem and privkey.pem and they are stored in the folder /etc/letsencrypt/live/le.the-internet-guy.com (your domain name will be reflected here, not mine; see image below).
*** NOTE: I needed to use the command sudo su to gain access to the folder
- Although we have our certificates in PEM format, Microsoft Windows only likes (for the most part) PFX certificates. So, we need to convert our PEM to a PFX. Run the comand: openssl pkcs12 -export -out cert.pfx -inkey privkey.pem -in cert.pem (see image below).
*** NOTE: You will notice that we were asked to supply a password. This is required for your PFX to be generated.
- We now have a certificate that we can import into IIS on Microsoft Windows. How you get the certificate to your server I will leave up to you. However, I will say that I use WinSCP to copy the certificates to my server.
*** NOTE: You will not have access to the /etc/letsencrypt/live/ directory, so copy your certificates to your home directory.
- On your Windows Server, open IIS Manager and click on your server. You are looking for your Server Certificates item. Double click on the Server Certificates item (see image below).
- Locate and click on the Import action within IIS Manager (see image below).
- Locate and import your certificate (see image below). You will be prompted for the password you assigned to the certificate a few steps above. Enter it and click OK.
- You will then see that your certificate is imported and ready to be used (see image below).
- Once installed, we go back to our website we want to protect. We will click on the Binding action (see image below).
- While in the Site Bindings window, click on "Add" and pick HTTPS and your new certificate (see image below). Click OK when done.
- Now we have a certificate bound to our website. So let's test it (see image below).