Let's Encrypt
Let's Encrypt is a service that provides free SSL certificates. It verifies a website's server by a series of challenges before signing any certificate requests.
Obtaining Certificates
Certbot
To get signed certificates from Let's Encrypt manually, use certbot
available from https://certbot.eff.org.
Alternatively, some shared hosting providers (eg. cPanel hosts) may already have an automated process running that automatically fetches and installs signed certificates for you.
Install certbot using a package manager or download it directly from their site.
# dnf install certbot
## or
# wget https://dl.eff.org/certbot-auto
To obtain only certificates using the built-in server:
## stop any services on port 443
# certbot certonly --standalone -d example.com -d www.example.com ...
Alternatively, pass in the --webroot
and -w /path
for each of the domains to verify. Eg:
# certbot certonly --webroot -w /example.com -d example.com -w /testing.example.com -d testing.example.com ...
Certificates will be placed in /etc/letsencrypt/live/$certname/
for each certificate obtained.
To renew certificates:
## Renews all certificates on the system
# certbot renew
## or for only one specific certificate
# certbot renew --cert-name example.com
To add additional domains, run certbot as if you were creating a new certificate. Certbot will then ask if you wish to expand your existing certificate.
Rate Limit
You may get the following error when trying to obtain a domain:
{
"type": "urn:acme:error:rateLimited",
"detail": "Error creating new cert :: too many certificates already issued for: ucalgary.ca",
"status": 429
}
This happens when more than 20 certificates per week is registered. More information at https://letsencrypt.org/docs/rate-limits/
See Also
letsencrypt-nosudo
Use Certbot Instead
This was written when Certbot wasn't available. You can use Certbot to just obtain the certificates as well without this hassle.
This neat project contains only the essential pieces of code in order to obtain signed certificate. Unlike the official client, this does not require sudo which is great for shared hosting accounts of paranoid sysadmins.
Get the code from their GitHub repository at https://github.com/diafygi/letsencrypt-nosudo.
$ git clone https://github.com/diafygi/letsencrypt-nosudo
$ cd letsencrypt-nosudo
I will do all the work inside a keys
directory.
If this is the first time you are using Let's Encrypt, generate your user keys.
$ mkdir keys
$ cd keys
$ openssl genrsa 4096 > user.key
$ openssl rsa -in user.key -pubout > user.pub
Create a private key for your domain if you don't have one already and then generate a certificate signing request with the subject containing the domain name to be signed.
$ openssl genrsa 4096 > domain.key
$ openssl req -new -sha256 -key domain.key -subj "/CN=leo.leung.xyz" > leo.leung.xyz.csr
In a separate window (or screen, or Ctrl+Z out), run the sign_csr.py
script. Since we do not want to run anything as root, we will have to use the file based challenge (option -f
) instead as the other (default) option requires running a server on port 80.
$ python ../sign_csr.py -f --public-key user.pub leo.leung.xyz.csr > signed.crt
Follow the instructions that the script provides you with in order to satisfy Let's Encrypt's challenges.
## Step 2?
$ openssl dgst -sha256 -sign user.key -out register_kZt6ne.sig register_XHetUA.json
$ openssl dgst -sha256 -sign user.key -out domain_7w4NCI.sig domain_zrVWwn.json
$ openssl dgst -sha256 -sign user.key -out cert_LTLknJ.sig cert_cFr76L.json
## Step 3?
$ openssl dgst -sha256 -sign user.key -out challenge_2Hk1Dk.sig challenge_rVYWdK.json
## Step 4
## You will need to place the challenge file and response to a file served by your domain.
$ mkdir -p ~/public_html/.well-known/acme-challenge/
$ echo "" > ~/public_html/.well-known/acme-challenge/b9dITAlwo94hzwIiSHvR7wPclNpWHIJG5YnNHP4UvoM
Once all that is done, you should now have the following files:
domain.key
- your domain's private keysigned.crt
- your domain's signed certificate
You may want to create chained certificate in case some browsers are unable to verify the deep chain of trust like so:
$ wget https://letsencrypt.org/certs/lets-encrypt-x1-cross-signed.pem
$ cat signed.crt lets-encrypt-x1-cross-signed.pem > chained.pem
Installing the Certificates
Apache
To manually configure apache for a virtual host, set:
SSLCertificateFile /etc/letsencrypt/live/domain/signed.crt
SSLCertificateKeyFile /etc/letsencrypt/live/domain/domain.key
SSLCACertificateFile /etc/letsencrypt/live/domain/chain.pem
cPanel
Let's Encrypt + cPanel Integration
If you are on a cPanel web host, cPanel might already be obtaining SSL certificates for you automatically. If not, ask your web hosting provider to enable AutoSSL with Let's Encrypt as the provider, or run the/scripts/install_lets_encrypt_autossl_provider
script as root.
To install the certificates manually using cPanel, log in to cPanel, click on 'Install an SSL Website', then fill the following fields with their respective file contents:
- Certificate: (CRT) ->
privkey.pem
- Private Key (KEY) ->
cert.pem
- Certificate Authority Bundle: (CABUNDLE) ->
chain.pem
cPanel will automatically install the certificate on the web server once the SSL certificates are uploaded.
Renewing
Let's Encrypt's certificates are only valid for 90 days and requires constant renewal.
|
|