Let’s Encrypt – SSL Certs for Free

FROM SOURCE

git clone https://github.com/certbot/certbot.git
cd certbot/

DEBIAN/UBUNTU INSTALL

apt-get install certbot
#apt-get install python-certbot-apache
#apt-get install python-certbot-nginx

STANDALONE

in case you do not have a webserver over there

./certbot-auto -h
./certbot-auto certonly --standalone -d DOMAIN.TLD

WEBSERVER PORT 80

you got a webserver up and running already

domain=DOMAIN.TLD
./certbot-auto certonly --webroot /data/www/$domain -d $domain
#./certbot-auto certonly --webroot /data/www/DOMAIN1,2 -d DOMAIN1 -d DOMAIN2

Method 1 (Recommended)

You are ready to proceed

./letsencrypt-auto -h
./letsencrypt-auto certonly

Answer the questions

1: Nginx Web Server plugin (nginx)
    OR 3: Place files in webroot directory (webroot)
YOUR EMAIL ADDRESS
(A)gree/(C)ancel: a
(Y)es/(N)o: 
DOMAIN.TLD
/var/www/html
    OR /data/www/domain.tld

check like a fanatic

ls -lkF /etc/letsencrypt/live/domain.tld/fullchain.pem
ls -lkF /etc/letsencrypt/live/domain.tld/privkey.pem
openssl x509 -noout -text -in /etc/letsencrypt/live/domain.tld/fullchain.pem | grep -A3 Valid

and write down the expiration date.

Method 2

certbot certonly -d DOMAIN.TLD

2: Place files in webroot directory (webroot)
1: Enter a new webroot
Input the webroot for mx.nethence.com: (Enter 'c' to cancel): /path/to/www

Acceptance

ls -lhF /etc/letsencrypt/
ls -lhF /etc/letsencrypt/live/DOMAIN.TLD/fullchain.pem
ls -lhF /etc/letsencrypt/live/DOMAIN.TLD/privkey.pem

Check,

cat /etc/letsencrypt/live/DOMAIN.TLD/fullchain.pem
openssl x509 -in /etc/letsencrypt/live/DOMAIN.TLD/fullchain.pem -text -noout

Maintenance

Display certificates,

certbot certificates

Revoke,

certbot revoke --cert-path path/to/cert...

Delete a certificate (interactive),

certbot delete

Renewals

DO NOT FORGET TO KEEP THE SERVICE UP ON PORT 80 for that matter. Beware there is 5 attemps per hour: https://letsencrypt.org/docs/rate-limits/

There is a Failed Validation limit of 5 failures per account, per hostname, per hour. This limit is higher on our staging environment, so you can use that environment to debug connectivity problems.

all at once

Let’s do it every month, a few days before the expiration date

crontab -e

0 HOUR DAY * * cd /root/certbot && git pull && ./letsencrypt-auto renew
#certbot renew

TODO and make sure the ssl engine gets reloaded in there, in case it needs to. For that you can play with --renew-hook.

per domain

You may want to avoid the renewal of all certs at once (unless you manage to deal with hooks properly).

To renew a specific domain with the same command as initially,

certbot certonly -d DOMAIN.TLD

Donate

References

Trash

obsolete

#apt-get install software-properties-common
#add-apt-repository ppa:certbot/certbot
#apt-get update

Nethence | Doc | Pub | Lab | Pbraun | SNE Russia | xhtml