Let’s Encrypt – SSL Certs for Free

Warning: there is no wildcard feature

Installation

From binaries

apt-get install certbot
#apt-get install python-certbot-apache
#apt-get install python-certbot-nginx

From source

git clone https://github.com/certbot/certbot.git
cd certbot/

Non-HTTP / standalone

In case you need a certificate for something else than HTTP,

./certbot-auto -h
./certbot-auto certonly --standalone -d DOMAIN.TLD

HTTP / certonly

Requirements

Assuming you already got an HTTP daemon up and running, make sure http://DOMAIN.TLD/.well-known/ will be accessible (port 80).

vhost=VHOST
mkdir -p /data/www/$vhost/.well-known/
echo "<p>ok" > /data/www/$vhost/.well-known/check.html
unset vhost

and eventually remotely

curl -s http://$vhost/.well-known/check.html

Method 1 (Recommended)

You are ready to proceed

./letsencrypt-auto -h
./letsencrypt-auto certonly

Answer the questions

2
email
a
y
DOMAIN.TLD
/path/to/www

and write down the expiration date.

Method 2

certbot certonly -d DOMAIN.TLD

2: Place files in webroot directory (webroot)
1: Enter a new webroot
Input the webroot for mx.nethence.com: (Enter 'c' to cancel): /path/to/www

Acceptance

ls -lhF /etc/letsencrypt/
ls -lhF /etc/letsencrypt/live/DOMAIN.TLD/fullchain.pem
ls -lhF /etc/letsencrypt/live/DOMAIN.TLD/privkey.pem

Check,

cat /etc/letsencrypt/live/DOMAIN.TLD/fullchain.pem
openssl x509 -in /etc/letsencrypt/live/DOMAIN.TLD/fullchain.pem -text -noout

Maintenance

Display certificates,

certbot certificates

Revoke,

certbot revoke --cert-path path/to/cert...

Delete a certificate (interactive),

certbot delete

Renewals

DO NOT FORGET TO KEEP THE SERVICE UP ON PORT 80 for that matter. Beware there is 5 attemps per hour: https://letsencrypt.org/docs/rate-limits/

There is a Failed Validation limit of 5 failures per account, per hostname, per hour. This limit is higher on our staging environment, so you can use that environment to debug connectivity problems.

all at once

Let’s do it every month, a few days before the expiration date

crontab -e

0 HOUR DAY * * cd /root/certbot && git pull && ./letsencrypt-auto renew
#certbot renew

TODO and make sure the ssl engine gets reloaded in there, in case it needs to. For that you can play with --renew-hook.

per domain

You may want to avoid the renewal of all certs at once (unless you manage to deal with hooks properly).

To renew a specific domain with the same command as initially,

certbot certonly -d DOMAIN.TLD

Donate

References

Trash

obsolete

#apt-get install software-properties-common
#add-apt-repository ppa:certbot/certbot
#apt-get update

Nethence | Doc | Pub | Lab | Pbraun | SNE Russia | xhtml