Today I was occasionally recommended a list which provides SaaS, PaaS and IaaS offerings that have free tiers of interest to developers and infrastructure developers. Some free DNS providers are on the list. I used to want to obtain a domain name for my website with SSL enabled. So I take action immediately.
I choose freedom.com as my free domain name service provider, then select a one-year free domain and purchase it free of charge.

After binding my IP address with the domain name, I got a management interface as follows, it also provides some other services like URL forwarding, creating and managing custom nameservers for my domain.

DNS management interface

Next, it’s time to arm your domain with a certificate. As for why we need a certificate, I think this post will convince you with some unrejectable reasons. There are lots of CAs which provide a certificate, and I choose the most popular free certificate authority which names “Let’s Encrypt“. And it is convenient to deploy, automating renew your certificate with certbot. According to my operating system (Arch Linux) and HTTP software (Apache), I get the following instruction:

1
2
# installing the certbot
sudo pacman -S certbot-apache

But before configuring certificate with certbot, we need to set up a virtual host on 80 port as follows in /etc/httpd/conf/httpd.conf:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
 <VirtualHost *:80>
ServerAdmin haung7tjsl
ServerName domain-name.com
ServerAlias www.domain-name.com
ErrorLog "/var/log/httpd/node-error_log"
CustomLog "/var/log/httpd/node-access_log" common

ProxyRequests off

<Proxy *>
Order deny,allow
Allow from all
</Proxy>
</VirtualHost>

Also we need to make mod_rewrite and mod_ssl enable in /etc/httpd/conf/httpd.conf otherwise we will get Invalid command 'RewriteEngine', perhaps misspelled or defined by a module not included in the server configuration and Cannot find an SSLCertificateFile directive in /files/etc/httpd/conf/extra/nextcloud-le-ssl.conf/IfModule/VirtualHost. VirtualHost was not modified error according to the post A and post B.

And you can execute the deployment with certbot and receive the success message:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
$ sudo certbot --apache
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: your-domain.com
2: www.your-domain.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):
Cert not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/your-domain.com.conf)

What would you like to do?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Attempt to reinstall this existing certificate
2: Renew & replace the cert (limit ~5 per 7 days)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
Keeping the existing certificate
Created an SSL vhost at /etc/httpd/conf/httpd-le-ssl.conf
Deploying Certificate to VirtualHost /etc/httpd/conf/httpd-le-ssl.conf
Enabling site /etc/httpd/conf/httpd-le-ssl.conf by adding Include to root configuration
Deploying Certificate to VirtualHost /etc/httpd/conf/httpd-le-ssl.conf

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Redirecting vhost in /etc/httpd/conf/httpd.conf to ssl vhost in /etc/httpd/conf/httpd-le-ssl.conf

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled https://your-domain.com and
https://www.your-domain.com

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=your-domain.com
https://www.ssllabs.com/ssltest/analyze.html?d=www.your-domain.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/your-domain.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/your-domain.com/privkey.pem
Your cert will expire on 2018-12-11. To obtain a new or tweaked
version of this certificate in the future, simply run certbot again
with the "certonly" option. To non-interactively renew *all* of
your certificates, run "certbot renew"
- If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

I also make all requests redirect to secure HTTPS access. And this certificate will last for 3 months, and before expiration, you can add the email address to receive the expiration notification according to the official post:

1
sudo certbot register --update-registration --email xxx@xxx.com

What’s more, on Jan 5 2018, Let’s Encrypt started to support ACME v2 — a wildcard certificate. But certbot still need time package them for all system distributions. According to Getting wildcard certificates with Certbot, I choose the second option and install it manually.

Firstly download the install script:

1
2
wget https://dl.eff.org/certbot-auto
chmod a+x certbot-auto

and then run the following command to configure the wildcard certificate:

1
2
3
4
5
6
7
./certbot-auto certonly \
--manual \
-d *.example.com \
-d example.com \
--preferred-challenges dns-01 \
--server https://acme-v02.api.letsencrypt.org/directory \
--debug
  • certonly: Obtain or renew a certificate, but do not install it
  • manual: Obtain certificates interactively, or using shell script
  • preferred-challenges: “dns” To authenticate omain ownership
  • server: specify endpoint to generate wildcard certificate. Now only acme-v02 endpoints supports
  • debug: use the virtualenv way

During the progress, the Certbot will share a text record to add to your DNS.

DNS txt record

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
 ./certbot-auto certonly --manual -d \*.your-domain.com -d your-domain.com --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory --debug

Requesting to rerun ./certbot-auto with root privileges...
[sudo] admin password:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for your-domain.com
dns-01 challenge for your-domain.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.

Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.your-domain.com with the following value:

kv40uFGWGujDtM1kd8SLkQa8aHkJKT_b3pP1y3G5PsM

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.your-domain.com with the following value:

QeuTiWaDbwYg-wLlOadfKt_03JkLG34_htFV_fg_52I

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/your-domain.com-0001/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/your-domain.com-0001/privkey.pem
Your cert will expire on 2019-01-14. To obtain a new or tweaked
version of this certificate in the future, simply run certbot-auto
again. To non-interactively renew *all* of your certificates, run
"certbot-auto renew"
- If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

Since I use the manual option, I need to edit the /etc/httpd/conf/httpd.conf to configure all sub-domains. An example is:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
<VirtualHost *:80>
ServerName sub.your-domain.com
ErrorLog "/var/log/httpd/domain1.com-error_log"
CustomLog "/var/log/httpd/domain1.com-access_log" common
RewriteEngine on
RewriteCond %{SERVER_NAME} =sub.your-domain.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
<VirtualHost *:443>
ServerName sub.your-domain.com
ErrorLog "/var/log/httpd/domain1.com-error_log"
CustomLog "/var/log/httpd/domain1.com-access_log" common
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/your-domain.com-0001/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/your-domain.com-0001/privkey.pem
</VirtualHost>

Restart the apache engine.

certbot certificates command will show your current certificate status.