This page provide basic instructions for using Let's Encrypt SSL certificates on your web server. Let's Encrypt SSL is a free CA. The tool is Certbot. Certbot has some cool plugins to read and modify your existing web host configurations, so the installation process is quite simple.
Certbot packages are available in official repos for OpenSUSE 42.3 and later.
For OpenSUSE 42.2 and earlier packages are not shipped in official repos. You need to add devel:languages:python repo.
sudo zypper addrepo http://download.opensuse.org/repositories/devel:languages:python/openSUSE_13.2/devel:languages:python.repo
For Leap 42.2 choose this:
sudo zypper addrepo http://download.opensuse.org/repositories/devel:/languages:/python/openSUSE_Leap_42.2/devel:languages:python.repo
If you are using Apache as web server:
sudo zypper install certbot python-certbot python-certbot-apache
If you are using Nginx as web server:
sudo zypper install certbot python-certbot python-certbot-nginx
For Leap 42.2 need to upgrade python-cryptography to >= 1.3.4 if needed.
sudo zypper install python-cryptography-1.8.1
By default, certbot use a test CA, which will only issue invalid SSL certificates. To use production CA of Let's Encrypt, you need to edit
# The staging/testing server server = https://acme-staging.api.letsencrypt.org/directory # The productive server. # server = https://acme-v01.api.letsencrypt.org/directory
# The staging/testing server # server = https://acme-staging.api.letsencrypt.org/directory # The productive server. server = https://acme-v01.api.letsencrypt.org/directory
If you are using Apache:
sudo certbot --apache
If you are using Nginx:
sudo certbot --nginx
Then the Certbot reads all your existing Apache/Nginx virtual host config files and determin which domains could enable SSL certificates. After that, you will see an interactive dialog appear:
(Sorry for Chinese characters in screenshot. The left button is "OK", and the right is "Cancel")
In above dialog, use Up and Down to navigate, Space key to select/unselect domains that you want to apply HTTPS connection. Then press Enter key. Next screen:
You can those whether to redirect HTTP to HTTPS or not. Redirect is recommand for security. If security is what you want, choose Secure. However, if you have some clients requiring HTTP, choose Easy. Then press Enter. Next screen:
You do NOT need to restart Apache or Nginx server.
Test in browser
Open your web browser, visit your website start with "https://" and see if you get a green lock symbol before the URL, and here is no warnings.
You can also test your website on SSL Labs.
Let's Encrypt certificates are only valid for 90 days. To reduce your work, we recommend using Crontab to run renew job every month.
/etc/cron.d/certbot.cron, and uncomment the renew line:
# renew all certificates methode: renew 10 5 1 * * root /usr/bin/certbot renew