How to Encrypt a Site Hosted on a Raspberry Pi with Certbot
The following instruction will show you how to encrypt a site hosted on a Raspberry Pi.
The software to create a valid certicate for your websire is called “Cerbot”. If you are running Apache, you can install the certbot module for it otherwise install the standard version of certbot.
Creating a New Certificate:
For Apache:
sudo apt-get install python-certbot-apache
For Everything Else:
sudo apt-get install certbot
With Certbot finally installed you can proceed with grabbing an SSL certificate for our Raspberry Pi from Let’s Encrypt. There is a couple of ways of handling this.
If you are not using Apache, you can skip this step. If you are using Apache, then the easiest way of grabbing a certificate is by running the command shown below, this will automatically grab and install the certificate into Apache’s configuration.
Before you do that, you will first have to make sure that ports 443 and 80 are open (not blocked by your ISP), then run the following command:
certbot --apache
If you are not running Apache, there are two different ways we can go about grabbing a certificate from Let’s Encrypt. Thanks to the certbot software, we can either grab the server using a standalone python server.
Utilizing the standalone built-in web server is incredibly easy, though first, you will have to make sure your port 80 is unblocked and forwarded. Make sure you replace example.com with the domain name you intend on utilizing.
certbot certonly --standalone -d example.com -d www.example.com
Using web root requires a bit more knowledge then using the built-in web server. Make sure /var/www/example points to a working website directory that can be reached from the internet. Also, make sure to replace example.com with the domain name you are using for your website.
certbot certonly --webroot -w /var/www/example -d example.com -d www.example.com
After running these commands, you will be prompted to enter some details, such as your email address. These details are required for Let’s Encrypt to keep track of the certificates it provides and also allow them to contact you if any issues arrive with the certificate.
Once you have filled out the required information, it will proceed to grab the certificate from Let’s Encrypt.
If you run into any issues make sure you have a valid domain name pointing at your IP, make sure port 80 and port 443 are unblocked, and finally, if you are using CloudFlare as your DNS provider, make sure that you have it currently set to bypass its servers.
The certificates that are grabbed by the certbot client will be stored in the following folder. Of course, swapping out example.com with your own domain name.
/etc/letsencrypt/live/example.com/
You will find both the full chain file (fullchain.pem) and the certificate’s private key file (privkey.pem) within these folders. Make sure you don’t allow others to access these files as they are what keep your SSL connection secure and identify it as a legitimate connection.
How to Renew Your Certificate
You will need to open port 80 and port 443 (see above).
Run the following command:
certbot
This will renew your certificate for another 90 days.