Let's Encrypt

Let's Encrypt is a service that provides free SSL certificates. It verifies a website's server by a series of challenges before signing any certificate requests.

Obtaining Certificates[edit]

Certbot[edit]

To get signed certificates from Let's Encrypt manually, use certbot available from https://certbot.eff.org.

Alternatively, some shared hosting providers (eg. cPanel hosts) may already have an automated process running that automatically fetches and installs signed certificates for you.

Install certbot using a package manager or download it directly from their site.

# dnf install certbot
## or
# wget https://dl.eff.org/certbot-auto

To obtain only certificates using the built-in server:

## stop any services on port 443
# certbot certonly --standalone -d example.com -d www.example.com ...

Alternatively, pass in the --webroot and -w /path for each of the domains to verify. Eg:

# certbot certonly --webroot -w /example.com -d example.com -w /testing.example.com -d testing.example.com ...

Certificates will be placed in /etc/letsencrypt/live/$certname/ for each certificate obtained.

To renew certificates:

## Renews all certificates on the system
# certbot renew
## or for only one specific certificate
# certbot renew --cert-name example.com

To add additional domains, run certbot as if you were creating a new certificate. Certbot will then ask if you wish to expand your existing certificate.


Rate Limit[edit]

You may get the following error when trying to obtain a domain:

{
"type": "urn:acme:error:rateLimited",
"detail": "Error creating new cert :: too many certificates already issued for: ucalgary.ca",
"status": 429
}

This happens when more than 20 certificates per week is registered. More information at https://letsencrypt.org/docs/rate-limits/

See Also[edit]

letsencrypt-nosudo[edit]

Use Certbot Instead
This was written when Certbot wasn't available. You can use Certbot to just obtain the certificates as well without this hassle.

This neat project contains only the essential pieces of code in order to obtain signed certificate. Unlike the official client, this does not require sudo which is great for shared hosting accounts of paranoid sysadmins.

Get the code from their GitHub repository at https://github.com/diafygi/letsencrypt-nosudo.

$ git clone https://github.com/diafygi/letsencrypt-nosudo
$ cd letsencrypt-nosudo

I will do all the work inside a keys directory.

If this is the first time you are using Let's Encrypt, generate your user keys.

$ mkdir keys
$ cd keys
$ openssl genrsa 4096 > user.key
$ openssl rsa -in user.key -pubout > user.pub

Create a private key for your domain if you don't have one already and then generate a certificate signing request with the subject containing the domain name to be signed.

$ openssl genrsa 4096 > domain.key
$ openssl req -new -sha256 -key domain.key -subj "/CN=leo.leung.xyz" > leo.leung.xyz.csr

In a separate window (or screen, or Ctrl+Z out), run the sign_csr.py script. Since we do not want to run anything as root, we will have to use the file based challenge (option -f) instead as the other (default) option requires running a server on port 80.

$ python ../sign_csr.py -f --public-key user.pub  leo.leung.xyz.csr > signed.crt

Follow the instructions that the script provides you with in order to satisfy Let's Encrypt's challenges.

## Step 2?
$ openssl dgst -sha256 -sign user.key -out register_kZt6ne.sig register_XHetUA.json
$ openssl dgst -sha256 -sign user.key -out domain_7w4NCI.sig domain_zrVWwn.json
$ openssl dgst -sha256 -sign user.key -out cert_LTLknJ.sig cert_cFr76L.json
## Step 3?
$ openssl dgst -sha256 -sign user.key -out challenge_2Hk1Dk.sig challenge_rVYWdK.json
## Step 4
## You will need to place the challenge file and response to a file served by your domain.
$ mkdir -p ~/public_html/.well-known/acme-challenge/
$ echo "" > ~/public_html/.well-known/acme-challenge/b9dITAlwo94hzwIiSHvR7wPclNpWHIJG5YnNHP4UvoM

Once all that is done, you should now have the following files:

  1. domain.key - your domain's private key
  2. signed.crt - your domain's signed certificate

You may want to create chained certificate in case some browsers are unable to verify the deep chain of trust like so:

$ wget https://letsencrypt.org/certs/lets-encrypt-x1-cross-signed.pem
$ cat signed.crt lets-encrypt-x1-cross-signed.pem > chained.pem

Installing the Certificates[edit]

Apache[edit]

To manually configure apache for a virtual host, set:

SSLCertificateFile /etc/letsencrypt/live/domain/signed.crt
SSLCertificateKeyFile /etc/letsencrypt/live/domain/domain.key
SSLCACertificateFile /etc/letsencrypt/live/domain/chain.pem

cPanel[edit]

Let's Encrypt + cPanel Integration
If you are on a cPanel web host, cPanel might already be obtaining SSL certificates for you automatically.

If not, ask your web hosting provider to enable AutoSSL with Let's Encrypt as the provider, or run the /scripts/install_lets_encrypt_autossl_provider script as root.

To install the certificates manually using cPanel, log in to cPanel, click on 'Install an SSL Website', then fill the following fields with their respective file contents:

  1. Certificate: (CRT) -> privkey.pem
  2. Private Key (KEY) -> cert.pem
  3. Certificate Authority Bundle: (CABUNDLE) -> chain.pem

cPanel will automatically install the certificate on the web server once the SSL certificates are uploaded.

Renewing[edit]

Let's Encrypt's certificates are only valid for 90 days and requires constant renewal.