Let’s encrypt was created with one goal in mind, which was create secure platform that will give everybody ability to create valid certificates that we could use to enforce secure for ours web pages. That way our www can established secure and private connections with visitors so both sides will have benefits. Making all certificates generated this way valid we gain the ‘green lock icon’ in URL bar in web browsers, so every visitor don’t have to be scared away with big red warning message about unknown certificated being use (like it would when we use self-signed certificates)
On beginning I would suggest to read Apache Part 2: Enable SSL if you didn’t enabled SSL for your vhosts and also we will need self-signed certificates for full process to complete.
For now, as its 03/18/2016 letsencrypt allow for automatic certificates installation on Debian/Ubuntu platforms with Apache2 (as web server), and rest platforms/web servers are supported via manual installation.
Preparation
First step is to install git client, if we didn’t already:
#debian/ubuntu apt-get install git
Next we need to download latest letsencrypt script, which will help us with signing process:
cd /opt git clone https://github.com/letsencrypt/letsencrypt
If we ever need to update letsencrypt we would need to invoke just ‘pull’ command in git client like this:
cd /opt/letsencrypt git pull
If in middle of updating with git pull we will encounter message about local modification made by us, then there is a quick&dirty fix for that:
cd /opt/letsencrypt git stash
Lets Go!
Method 1: Automatically configure everything (Apache 2 + Debian/Ubuntu)
./letsencrypt-auto --apache -d example.com
Method 2: Obtaining certificates for web server without automatic installation (webroot module)
./letsencrypt-auto certonly --webroot -w /var/www/example -d example.com -d www.example.com -w /var/www/example2 -d example2.com
Method 3: Obtaining certificates without using your web server but instead using build-in one (standalone module)
#be sure to disable your webserver if there is any ./letsencrypt-auto certonly --standalone -d example.com -d www.example.com
If we are using ‘apache’ module everything should work right away, in other case you need to manually add certificates in configure files of your vhosts.
Certificates are saves inside: /etc/letsencrypt/archive but the best is to use sym-links that are created in /etc/letsencrypt/live/
Renewing certificates!?
For now (03/18/2016) certificates created with Let’s Encrypt are valid for 90days. Renewing them is more like creating new ones. This process can be made by hand or with use of script proposed by Let’s Encrypt themself .
At first we can make dry run to see if there will be any errors while renewing certs:
/opt/letsencrypt/letsencrypt-auto renew --dry-run
If command was successful we can skip the –dry-run argument:
/opt/letsencrypt/letsencrypt-auto renew
Command ‘renew’ use the last saved settings for creating certificates, so if we would like to use stronger encryption by using longer RSA key we can do it by:
#4096bit /opt/letsencrypt/letsencrypt-auto renew --rsa-key-size 4096
While renewing certificates application check if valid date have passed. If not them script will skip renewing for that certificate, but we can force it by adding argument ‘--force-renew':
/opt/letsencrypt/letsencrypt-auto renew --force-renew
Automatic renewing 🙂
This is a copy of script from https://letsencrypt.org
# le-renew
#!/bin/sh
if ! /opt/letsencrypt/letsencrypt-auto renew > /var/log/letsencrypt/renew.log 2>&1 ; then
echo Automated renewal failed:
cat /var/log/letsencrypt/renew.log
exit 1
fi
We need to add script to cron, so we won’t need to remember about this
#crontab -e 0 * * * * le-renew
This way cron will try to renew every certificate we use each hour.
We could also skip this script and take other approach which is using cron with force-renewal argument:
#crontab -e 0 0 1 * * /opt/letsencrypt/letsencrypt-auto renew --force-renewal
This way each first day of month there will be generated new certificate for our domains. We go 90days to that so in theory we got 3 tries before our certificate became invalid.
Revoking certificate:
/opt/letsencrypt/letsencrypt-auto revoke --cert-path example-cert.pem
Update 06/11/2016:
You can update letsencrypt client, you need to run git command
git pull
While doing it you can hit on error saying that your local version is modified and you need to commit those changes. The simples way to fix this is reset your local repo:
git reset --hard
Update 04/08/2017:
letsencrypt change name to certbot