The last piece in the jigsaw puzzle in creating a Raspberry Pi Web Server is to add an SSL certificate to the web site. Web sites need to be accessed by https rather than http for security reasons.
A python Certbot client is installed to allow the user to grab an SSL certificate from Let’s Encrypt by either utilizing your web server or by running its own temporary server.
Let’s Encrypt is the best way to easily obtain a secure and certified SSL certificate for your Raspberry Pi completely free.
Before you get started with setting up SSL on your Raspberry Pi, make sure that you have a domain name already set up and pointed at your IP address as an IP Address cannot have a certified SSL Certificate.
If you are using Cloudflare as your DNS provider, then make sure you have it set to bypass Cloudflare as it hides your IP address meaning the Let’s Encrypt tool will fail to verify your Raspberry Pi’s IP address and generate it an SSL certificate.
(1) Install the LetsEncrypt software to your Raspberry Pi as follows.
This is called “Cerbot”. If you are running Apache, you can install the certbot module as follows:
(2) With Certbot installed we can proceed with grabbing an SSL certificate for our Raspberry Pi from Let’s Encrypt.
If you are using Apache, then the easiest way of grabbing a certificate is by running the command shown below, this will automatically grab and install the certificate into Apache’s configuration.
Before you do that, you will first have to make sure port 80 and port 443 are port forwarded. Also, if you are using Cloudflare as your DNS provider, you will need to temporarily bypass it as it hides your real IP address.
(3) After running these commands, you will be prompted to enter some details, such as your email address. These details are required for Let’s Encrypt to keep track of the certificates it provides and also allow them to contact you if any issues arrive with the certificate.
Once you have filled out the required information, it will proceed to grab the certificate from Let’s Encrypt.
If you run into any issues make sure you have a valid domain name pointing at your IP, make sure port 80 and port 443 are unblocked, and finally, if you are using CloudFlare as your DNS provider, make sure that you have it currently set to bypass its servers.
The certificates that are grabbed by the certbot client will be stored in the following folder swapping out example.com with your own domain name.
You will find both the full chain file (fullchain.pem) and the certificate’s private key file (privkey.pem) within these folders. It is these files that keep your SSL connection secure and identify it as a legitimate connection.