A few days ago I got my invitation to Let’s Encrypt Beta Program. For those of you who are not familiar with Let’s encrypt:
Let’s Encrypt is a new free certificate authority, built on a foundation of cooperation and openness, that lets everyone be up and running with basic server certificates for their domains through a simple one-click process.
This short tutorial is intended to get you up and running with your own Let’s Encrypt signed certificates.
The first thing is to get the Let’s Encrypt client:
git clone https://github.com/letsencrypt/letsencrypt cd letsencrypt
The main command we will be working with is
./letsencrypt-auto. The first time you will run it, it will also ask for
sudo, install various dependencies using your package manager and setup a
The next step is to issue the certificate and prove to Let’s Encrypt that you have some control over the domain. The client supports two methods to perform the validation. The first one is the standalone server. It works by setting up a webserver on port 443, and responding to a challenge from the Let’s Encrypt servers. However, if you already have your own web-server running on port 443 (the default for TLS/SSL), you would have to temporarily shut it down. To use the standalone method run:
./letsencrypt-auto --agree-dev-preview --server https://acme-v01.api.letsencrypt.org/directory certonly
The second method is called Webroot authentication. It works by placing a folder (
.well-known/acme-challenge) in the document root of your server with files corresponding to responses for challenges.
./letsencrypt-auto --agree-dev-preview --server https://acme-v01.api.letsencrypt.org/directory -a webroot --webroot-path /var/www/html/ certonly
Whatever method you chose, it will ask for a list of domains you want to validate and your email address. You can write multiple domains. The first one will be the Common Name (CN) and the rest will appear in the Subject Alt Name field.
The newly generated certificates will be placed in
The important files in this directory are
fullchain.pem which contain the full certificate chain to be served to the browser and
privkey.pem which is the private key.
An example Nginx configuration will now look like:
listen 443 ssl; ssl_certificate /etc/letsencrypt/live/guyrutenberg.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/guyrutenberg.com/privkey.pem;
Just don’t forget to reload the web-server so configuration changes take effect. No more government snooping on my blog 😉 .