Apa itu Let’s Encrypt
SSL Certificate digunakan dalam web server untuk mengenkripsi trafik antara server dengan klien, memberikan keamanan ekstra untuk penggunanya yang mengakses web aplikasinya. Let’s Encrypt menyediakan cara mudah untuk mendapatkan dan memasang certificate SSL yang gratis.
Let’s Encrypt adalah sebuah otoritas Certifice Authority (CA) gratis, otomatis dan terbuka yang dijalankan untuk kepentingan publik. Let’s Encrypt merupakan sebuah layanan yang di sediakan oleh pihak Internet Security Research Group (ISRG)
Dengan adanya Let’s Encrypt ini bagi kalian yang ingin menggunakan SSL namun terkendala biaya, maka Let’s Encrypt inilah bisa menjadi alternatif untuk mengaktifkan SSL/HTTPS di sisi server.
Cara Install Lets Encrypt
Untuk cara install Lets Encrypt pastikan dahulu anda telah menginstall LAMP Stack (Baca : Cara Install LAMP) atau LEMP Stack (Baca : Cara Install LEMP) sebagai web service yang anda gunakan. Jika sudah menginstallnya selanjutnya kalian bisa melakukan installasi Let’s Encrypt seperti berikut ini :
CentOS
Pertama install dahulu dependecies centos dengan command berikut ini :
yum -y install epel-release yum -y install yum-utils
Jika kalian menggunakan LAMP Stack kalian bisa install certbot untuk Apache
- Apache
yum -y install certbot-apache
Namun, jika kalian menggunakan LEMP Stack kalian bisa install certbot untuk NGINX
- NGINX
yum -y install certbot-nginx
Untuk generate SSL Let’s Encrypt di LAMP Stack kalian bisa jalankan command
- Apache
certbot-2 --apache
Dan akan muncul output seperti berikut ini :
# certbot-2 --apache Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator apache, Installer apache Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org Which names would you like to activate HTTPS for? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1: vm.nimetech.com 2: www.vm.nimetech.com - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Select the appropriate numbers separated by commas and/or spaces, or leave input blank to select all options shown (Enter 'c' to cancel): 1 Cert not yet due for renewal You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry. (ref: /etc/letsencrypt/renewal/vm.nimetech.com.conf) What would you like to do? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1: Attempt to reinstall this existing certificate 2: Renew & replace the cert (limit ~5 per 7 days) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1 Keeping the existing certificate Created an SSL vhost at /etc/httpd/vhost/www-le-ssl.conf Deploying Certificate to VirtualHost /etc/httpd/vhost/www-le-ssl.conf Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1: No redirect - Make no further changes to the webserver configuration. 2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for new sites, or if you're confident your site works on HTTPS. You can undo this change by editing your web server's configuration. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2 Redirecting vhost in /etc/httpd/vhost/www.conf to ssl vhost in /etc/httpd/vhost/www-le-ssl.conf - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Congratulations! You have successfully enabled https://vm.nimetech.com You should test your configuration at: https://www.ssllabs.com/ssltest/analyze.html?d=vm.nimetech.com - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/vm.nimetech.com/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/vm.nimetech.com/privkey.pem Your cert will expire on 2019-08-12. To obtain a new or tweaked version of this certificate in the future, simply run certbot again with the "certonly" option. To non-interactively renew *all* of your certificates, run "certbot renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
Dan untuk generate SSL Let’s Encrypt jika menggunakan NGINX bisa gunakan command :
- NGINX
certbot-2 --nginx
Kemudian akan muncul output seperti berikut ini :
# certbot-2 --nginx Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator nginx, Installer nginx Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org Which names would you like to activate HTTPS for? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1: vm.nimetech.com - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Select the appropriate numbers separated by commas and/or spaces, or leave input blank to select all options shown (Enter 'c' to cancel): 1 Obtaining a new certificate Performing the following challenges: http-01 challenge for vm.nimetech.com Waiting for verification... Cleaning up challenges Resetting dropped connection: acme-v02.api.letsencrypt.org Deploying Certificate to VirtualHost /etc/nginx/nginx.conf Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1: No redirect - Make no further changes to the webserver configuration. 2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for new sites, or if you're confident your site works on HTTPS. You can undo this change by editing your web server's configuration. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2 Redirecting all traffic on port 80 to ssl in /etc/nginx/nginx.conf - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Congratulations! You have successfully enabled https://vm.nimetech.com You should test your configuration at: https://www.ssllabs.com/ssltest/analyze.html?d=vm.nimetech.com - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/vm.nimetech.com/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/vm.nimetech.com/privkey.pem Your cert will expire on 2019-08-12. To obtain a new or tweaked version of this certificate in the future, simply run certbot again with the "certonly" option. To non-interactively renew *all* of your certificates, run "certbot renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
Ubuntu
Untuk pengguna Ubuntu jika ingin install certbot kalian bisa ikuti command berikut ini :
- Apache
sudo apt install python-certbot-apache
- NGINX
sudo apt install python-certbot-nginx
Dan untuk generate SSL Let’s Encrytpnya bisa kalian gunakan command berikut ini :
- Apache2
certbot -d vm.nimetech.com --apache
Selanjutnya akan muncul output berikut ini :
# certbot -d vm.nimetech.com --apache Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator apache, Installer apache Enter email address (used for urgent renewal and security notices) (Enter 'c' to cancel): [email protected] ------------------------------------------------------------------------------- Please read the Terms of Service at https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must agree in order to register with the ACME server at https://acme-v01.api.letsencrypt.org/directory ------------------------------------------------------------------------------- (A)gree/(C)ancel: A ------------------------------------------------------------------------------- Would you be willing to share your email address with the Electronic Frontier Foundation, a founding partner of the Let's Encrypt project and the non-profit organization that develops Certbot? We'd like to send you email about EFF and our work to encrypt the web, protect its users and defend digital rights. ------------------------------------------------------------------------------- (Y)es/(N)o: Y Obtaining a new certificate Performing the following challenges: http-01 challenge for vm.nimetech.com Enabled Apache rewrite module Waiting for verification... Cleaning up challenges Created an SSL vhost at /etc/apache2/sites-available/www-le-ssl.conf Enabled Apache socache_shmcb module Enabled Apache ssl module Deploying Certificate to VirtualHost /etc/apache2/sites-available/www-le-ssl.conf Enabling available site: /etc/apache2/sites-available/www-le-ssl.conf Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access. ------------------------------------------------------------------------------- 1: No redirect - Make no further changes to the webserver configuration. 2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for new sites, or if you're confident your site works on HTTPS. You can undo this change by editing your web server's configuration. ------------------------------------------------------------------------------- Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2 Enabled Apache rewrite module Redirecting vhost in /etc/apache2/sites-enabled/www.conf to ssl vhost in /etc/apache2/sites-available/www-le-ssl.conf ------------------------------------------------------------------------------- Congratulations! You have successfully enabled https://vm.nimetech.com You should test your configuration at: https://www.ssllabs.com/ssltest/analyze.html?d=vm.nimetech.com ------------------------------------------------------------------------------- IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/vm.nimetech.com/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/vm.nimetech.com/privkey.pem Your cert will expire on 2019-08-12. To obtain a new or tweaked version of this certificate in the future, simply run certbot again with the "certonly" option. To non-interactively renew *all* of your certificates, run "certbot renew" - Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal. - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
- NGINX
certbot -d vm.nimetech.com --nginx
Lalu akan muncul output berikut ini :
# certbot -d vm.nimetech.com --nginx Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator nginx, Installer nginx Cert not yet due for renewal You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry. (ref: /etc/letsencrypt/renewal/vm.nimetech.com.conf) What would you like to do? ------------------------------------------------------------------------------- 1: Attempt to reinstall this existing certificate 2: Renew & replace the cert (limit ~5 per 7 days) ------------------------------------------------------------------------------- Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1 Keeping the existing certificate Deploying Certificate to VirtualHost /etc/nginx/sites-enabled/www Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access. ------------------------------------------------------------------------------- 1: No redirect - Make no further changes to the webserver configuration. 2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for new sites, or if you're confident your site works on HTTPS. You can undo this change by editing your web server's configuration. ------------------------------------------------------------------------------- Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2 Redirecting all traffic on port 80 to ssl in /etc/nginx/sites-enabled/www ------------------------------------------------------------------------------- Congratulations! You have successfully enabled https://vm.nimetech.com You should test your configuration at: https://www.ssllabs.com/ssltest/analyze.html?d=vm.nimetech.com ------------------------------------------------------------------------------- IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/vm.nimetech.com/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/vm.nimetech.com/privkey.pem Your cert will expire on 2019-08-12. To obtain a new or tweaked version of this certificate in the future, simply run certbot again with the "certonly" option. To non-interactively renew *all* of your certificates, run "certbot renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
Pengujian
Untuk pengujian atau pengecekan SSL Let’s Encrypt sebenarnya kalian cukup akses url https://namadomain.com seperti contohnya https://vm.nimetech.com. Dan Jika tampilannya seperti berikut ini maka SSL Let’s Encrypt kalian telah terinstall dengan baik dan benar.
Kesimpulan
SSL Let’s Encrypt merupakan solusi bagi Web Developer ketika web aplikasinya ingin menggunakan fitur SSL. Let’s Encrypt merupakan otoritas Certificate Authority (CA) gratis sehingga siapa saja boleh menggunakannya dan bisa menerapkan SSL di web aplikasinya.
Kami NimeTech memberikan fitur Free SSL pada Jasa Manage Server kami, sehingga aplikasi website yang berada di server bisa menggunakan SSL.