Why Do You Need SSL Certificates?
Keeping your SSL certificate up to date is crucial for ensuring a secure and encrypted connection between your website and its visitors. Let’s Encrypt is a great option for website owners that value security without incurring extra fees because the renewal procedure is easy, automatic, and totally free.
To prevent security breaches, data transmitted over the internet must be encrypted. Encryption is a process which converts plain text into an unreadable format at the sender’s end and restores it to its original form at the receiver’s end. This process relies on asymmetric cryptography, which uses two keys:
- Public Key – Shared openly and used to encrypt data.
- Private Key – Kept secret by the server and used to decrypt data.
When you visit a secure website, the server provides its public key to your browser, which then encrypts the data before sending it. Only the private key, which is held securely by the server, can decrypt this information. As long as the private key remains confidential, communication between your browser and the server stays secure.
When you go to a secure website, the public key of the website is sent to your browser, which encrypts your data before sending it. This data can only be accessed and decrypted with the private key of the website. Your communication is safe as long as the private key is kept safe.
Because SSL certificates guarantee that any information you send stays private and secure, websites that use HTTPS (rather than plain HTTP) are safer. Therefore, SSL encryption prevents your data from getting into the wrong hands, whether you’re entering personal information, credit card numbers, or login passwords.
Who issues these certificates?
SSL certificates are issued by Certificate Authorities (CAs)—trusted organizations responsible for verifying the identity of websites and issuing digital certificates. CAs verify that a website is genuine and that its encryption is set up correctly.
Popular Certificate Authorities (CAs):
Let’s Encrypt
DigiCert
GlobalSign
GoDaddy
and a few more…
So we will talk about one of the most popular CA Let’s Encrypt which issues free certificates.
Let’s Encrypt is a free, automated, and open Certificate Authority (CA) that provides SSL/TLS certificates to secure websites. Below is an end-to-end process of how Let’s Encrypt works on an Ubuntu system.
Ways of issuing certificates using Let’s Encrypt
Let’s Encrypt uses a protocol called ACME (Automated Certificate Management Environment) to issue and manage certificates.
To issue a certificate, Let’s Encrypt needs to verify that you own the domain. This is done through a challenge-response mechanism. For example:
- HTTP Challenge: Let’s Encrypt gives you a unique token, and you place it in a specific file on your web server.
- DNS Challenge: You need to add a specific DNS record to your domain’s configuration.
Once the challenge is completed, Let’s Encrypt knows you control the domain.
Let’s Encrypt certificates are valid for 90 days. This short lifespan encourages automation and ensures that the certificates are quickly replaced before getting expire. Renewing the certificate involves repeating the validation process.
Manual Mode (For Custom Web Servers):
In this, we need to manually issue the certificate along with verifying it via a TXT Record simultaneously.
sudo certbot certonly --standalone -d example.com -d www.example.com --manual --preferred-challenges dnsThe above command will ask you to deploy a TXT Record in your DNS Provider to verify the legitimacy of the server.
Once that is done, the certificate is issued and stored at the path:
/etc/letsencrypt/live/example.com/fullchain.pem
/etc/letsencrypt/live/example.com/privkey.pem
/etc/letsencrypt/live/example.com/cert.pem
Automated Mode (Recommended):
This is mainly used when you want to update the certificate for a web server like Apache, Nginx, etc.
In this, when the below command is run, it creates the adds the configuration for the certificate in the Apache or Nginx configuration itself.
sudo certbot --apache -d example.com -d www.example.comThis command:
- Obtains a certificate from Let’s Encrypt.
- Modifies the web server configuration to enable HTTPS.
- Configures automatic redirection from HTTP to HTTPS.
When you install Certbot, it automatically creates a systemd timer or cron job to check for certificate renewals twice a day. Certbot will attempt renewal only if the certificate is expiring within the next 30 days.
Checking Renewal Timer
Run the following command to check if the systemd timer is enabled:
systemctl list-timers | grep certbot
In this way, it runs automatically and renews the certificate automatically by verifying the token at /var/www/html/.well-known/acme-challenge/XYZ123 path.
It makes an HTTP request to http://example.com/.well-known/acme-challenge/XYZ123.If the file is accessible and contains the correct token, verification succeeds.
But for the above process to work properly, port 80 must be accessible to the public for automatic renewal
Debugging Auto-Renewal Issues
If auto-renewal fails, check the logs:
sudo journalctl -u certbot --no-pagerOr check the Certbot log:
sudo cat /var/log/letsencrypt/letsencrypt.logArchitecture
Conclusion
By following this process, we can easily install and manage Let’s Encrypt certificates on Ubuntu, securing your web applications with HTTPS.
Additionally, you can monitor the health and expiration status of your HTTP/TCP endpoints along with SSL certificates using Prometheus Blackbox Exporter. This allows you to set up proactive alerts and ensure your website remains secure at all times.
A secure website not only safeguards user data but also boosts your credibility and search engine rankings. So, make sure your Let’s Encrypt SSL certificate is always renewed on time and consider monitoring it with tools like Blackbox Exporter for enhanced reliability!
I’m a DevOps Engineer with 3 years of experience, passionate about building scalable and automated infrastructure. I write about Kubernetes, cloud automation, cost optimization, and DevOps tooling, aiming to simplify complex concepts with real-world insights. Outside of work, I enjoy exploring new DevOps tools, reading tech blogs, and play badminton.
