How to enable SSL on your website for FREE using Let’s Encrypt and Cloudflare DNS

Welcome to my first post! In my journey of purchasing a domain name and a managed WordPress service, I thought I would share my experience in enabling SSL/HTTPS on my blog site.

Which domain hosting services should I use?

I went with Namecheap for my domain host because they had the best pricing for domains and they also offered a managed WordPress application that was relatively cheap per year.  If you need a shared WordPress service for more site customization you might want to compare pricing with other companies like Host Gator or Go Daddy.

O’er the land of the free SSL

Let’s Encrypt is a free service that offers 90 day SSL Certificates because having more websites with SSL/HTTPS enabled promotes a more secure internet overall. Unfortunately Namecheap does not support Let’s Encrypt natively since they offer their own SSL service for a fee. Before Let’s Encrypt can issue a SSL Certificate it has to verify that you own the domain. That means another application called Certbot has to verify files that have to be manually uploaded to the website to prove you actually own that site. Luckily I was able to find a way to use a DNS challenge instead which means i don’t have to upload any files to my website. I just need to run a script to contact Let’s Encrypt and it will generate/renew the certificates. Since I’ve just started this website, I haven’t tried renewing yet but I guess I’ll find out in 90 days (see additional UPDATE below to automate renewal). I’ll update the blog with a quick post when that happens to let you know how it goes. Here are the instructions below:

Installation environment and instructions

I’m using MacOS 10.14 Mojave so these are the instructions with that environment. Steps may differ on different versions or on other operating systems. We will use Cloudflare for the DNS servers so we can use Dehydrated with a cloudflare hook to generate SSL certificates using DNS-01 challenges. This way we don’t need to run Certbot or copy any files manually using SFTP to the website.

1. Create a free Cloudflare account at https://dash.cloudflare.com/login and add your domain.

2. Add Cloudflare name servers to your Namecheap account under Custom DNS.

Cloudflare DNS Servers
Cloudflare primary and secondary DNS servers

3. Install Dehydrated following the instructions on this page and run the hook: https://github.com/kappataumu/letsencrypt-cloudflare-hook

  • Make sure you include the Cloudflare email and API key per the instructions.
  • Make sure you are in the dehydrated folder when you run the hook.
  • Make sure to specify your TLD in the hook command, in my case it was:
    ./dehydrated -c -d thedavidnguyenblog.xyz -t dns-01 -k ‘hooks/cloudflare/hook.py’
  • If successful, the certificates will be downloaded to a “certs” folder in your “dehydrated” folder.

4. Make a copy of the fullchain pem file and rename it to .crt instead of .pem.

5. Make a copy of the privkey pem file and rename it to .key instead of .pem.

6. In your EasyWP dashboard, go to Domains and below you can upload the .crt file to SSL Certificates and the .key file to Private Key.

EasyWP Domains Menu
EasyWP Domains Menu

7. Click the slider to enable SSL on your website.

It may take a few minutes for everything to update, but your website should now be automatically redirected to https instead of http.

(UPDATE) To automate the renewal process before the 90 day expiration date, you will need to create a config and domains.txt file in your “dehydrated” folder and create a cron job that runs every month to check for renewals. Go to your “dehydrated” folder (for this example, I’ll assume it’s in the home directory).

  • cd ~/dehydrated
  • sudo nano config
    • Here you will replace the following in bold (8 lines):
    • # cloudflare settings
      export CF_EMAIL=”YOUR_EMAIL
      export CF_KEY=”YOUR_API_KEY
      # letsencrypt.sh
      export CHALLENGETYPE=”dns-01″
      export CONTACT_EMAIL=”YOUR_EMAIL
      export HOOK=”hooks/cloudflare/hook.py”
      export RENEW_DAYS=”60″
  • sudo nano domains.txt
    • Here you will replace the following in bold (1 line):
    • YOUR_DOMAIN.com www.YOUR_DOMAIN.com
  • env EDITOR=nano crontab -e
    • Here you will add the following (1 line):
    • 0 0 1 * * cd ~/dehydrated && ./dehydrated -c
  • ctrl+O and press enter to save, ctrl+x to exit.
  • You can check your cron jobs using the following command:
    • crontab -l

This will execute on the 1st of every month. If your computer is asleep or shutdown, it will execute of the next following day that it is turned on.

(Optional) I also enabled DNSSEC on both Cloudflare and Namecheap, you will need to input some data from Cloudflare into the Namecheap Advanced DNS Settings under your site.

1. Go to your Cloudflare account under DNS.

Cloudflare DNS Menu Settings
Cloudflare DNS Menu Settings

2. Scroll down to DNSSEC, enable it, and find the information you need to input on Namecheap’s website.

Cloudflare DNSSEC Settings
Cloudflare DNSSEC Settings

3. Log into your Namecheap account and go to Domain List > Advanced DNS and input the Key Tag, Algorithm, Digest Type and Digest.

Namecheap DNSSEC Menu Settings
Namecheap DNSSEC Menu Settings

4. Click the slider to enable DNSSEC.

I hope you enjoyed that tutorial! Feel free to leave any comments or questions below.

Sources:
https://www.cloudflare.com/
https://www.namecheap.com/
https://letsencrypt.org/

https://dehydrated.io/
https://github.com/lukas2511/dehydrated

https://github.com/kappataumu/letsencrypt-cloudflare-hook

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.