Let’s encrypt – Green lock icon for ours web page – free SSL certificates

Let’s encrypt was created with one goal in mind, which was create secure platform that will give everybody ability to create valid certificates that we could use to enforce secure for ours web pages. That way our www can established secure and private connections with visitors so both sides will have benefits. Making all certificates generated this way valid we gain the ‘green lock icon’ in URL bar in web browsers, so every visitor don’t have to be scared away with big red warning message about unknown certificated being use (like it would when we use self-signed certificates)

On beginning I would suggest to read Apache Part 2: Enable SSL if you didn’t enabled SSL for your vhosts and also we will need self-signed certificates for full process to complete.

For now, as its 03/18/2016 letsencrypt allow for automatic certificates installation on Debian/Ubuntu platforms with Apache2 (as web server), and rest platforms/web servers are supported via manual installation.


First step is to install git client, if we didn’t already:

apt-get install git

Next we need to download latest letsencrypt script, which will help us with signing process:

cd /opt
git clone https://github.com/letsencrypt/letsencrypt

If we ever need to update letsencrypt we would need to invoke just ‘pull’ command in git client like this:

cd /opt/letsencrypt
git pull

If in middle of updating with git pull we will encounter message about local modification made by us, then there is a quick&dirty fix for that:

cd /opt/letsencrypt
git stash


Lets Go!

Method 1: Automatically configure everything (Apache 2 + Debian/Ubuntu)

./letsencrypt-auto --apache -d example.com


Method 2: Obtaining certificates for web server without automatic installation (webroot module)

./letsencrypt-auto certonly --webroot -w /var/www/example -d example.com -d www.example.com -w 
/var/www/example2 -d example2.com


Method 3: Obtaining certificates without using your web server but instead using build-in one (standalone module)

#be sure to disable your webserver if there is any
./letsencrypt-auto certonly --standalone -d example.com -d www.example.com


If we are using ‘apache’ module everything should work right away, in other case you need to manually add certificates in configure files of your vhosts.

Certificates are saves inside: /etc/letsencrypt/archive but the best is to use sym-links that are created in /etc/letsencrypt/live/


Renewing certificates!?

For now (03/18/2016) certificates created with Let’s Encrypt are valid for 90days. Renewing them is more like creating new ones. This process can be made by hand or with use of script proposed by Let’s Encrypt themself .

At first we can make dry run to see if there will be any errors while renewing certs:

/opt/letsencrypt/letsencrypt-auto renew --dry-run

If command was successful we can skip the –dry-run argument:

/opt/letsencrypt/letsencrypt-auto renew


Command ‘renew’ use the last saved settings for creating certificates, so if we would like to use stronger encryption by using longer RSA key we can do it by:

/opt/letsencrypt/letsencrypt-auto renew --rsa-key-size 4096


While renewing certificates application check if valid date have passed. If not them script will skip renewing for that certificate, but we can force it by adding argument ‘--force-renew':

/opt/letsencrypt/letsencrypt-auto renew --force-renew


Automatic renewing 🙂

This is a copy of script from https://letsencrypt.org

# le-renew
if ! /opt/letsencrypt/letsencrypt-auto renew > /var/log/letsencrypt/renew.log 2>&1 ; then
    echo Automated renewal failed:
    cat /var/log/letsencrypt/renew.log
    exit 1

We need to add script to cron, so we won’t need to remember about this

#crontab -e
0 * * * * le-renew

This way cron will try to renew every certificate we use each hour.


We could also skip this script and take other approach which is using cron with force-renewal argument:

#crontab -e
0 0 1 * * /opt/letsencrypt/letsencrypt-auto renew --force-renewal

This way each first day of month there will be generated new certificate for our domains. We go 90days to that so in theory we got 3 tries before our certificate became invalid.


Revoking certificate:

/opt/letsencrypt/letsencrypt-auto revoke --cert-path example-cert.pem


Update 06/11/2016:

You can update letsencrypt client, you need to run git command

git pull

While doing it you can hit on error saying that your local version is modified and you need to commit those changes. The simples way to fix this is reset your local repo:

git reset --hard


Update 04/08/2017:

letsencrypt change name to certbot

Leave a Reply

Your email address will not be published. Required fields are marked *