====== LetsEncyrpt on Ubuntu ======
  * There are some important factors to consider when using LetsEncyrpt certificates
  - LetsEncyrpt tires to setup a HTTP or HTTPS server to validate your domain and accordingly port 80 and 443 need to be open for LetsEncyrpt to connect to these ports before they will give you a certificate.
  - LetsEncyrpt certificates have a life of 3-4 months so they need to be renewed every three months.
  - The entire process is done through the command line/curses client on the server running the web server
  - On Ubuntu I had to install the certificates manually
  - Currently you can only have 5 certs for every domain per 7 day window

===== Install LetsEncrypt client =====
  - Install Git<file>apt-get install git</file>
  - Download client source<file>git clone https://github.com/letsencrypt/letsencrypt</file>
  - Run Client<file>cd letsencrypt
./letsencrypt-auto</file>

===== Getting Your first Certificate =====
  * Let's assume that you have a standard webroot server running on port 80 (Apache, Lighthttpd, Ngnix)
  * In this case it makes sense to run letsencrypt-auto using **http** and **webroot** domain verification.
  - To use port 80 use the following arguments <file>--standalone-supported-challenges http-01</file>
  - To use webroot verification use the following arguments<file>--webroot --webroot-path /var/www/html</file>replace **/var/www/html** with your document/web root
  - Finally add the following for manual certificate installation<file>certonly</file>
  - Here is an example command <file>letsencrypt-auto certonly --standalone-supported-challenges http-01 --webroot-path /var/www/ --webroot</file>
  - You will be asked for a email address and a domain name in the curses interface enter them and if all goes well you should get a certificate file. 
  - If successful you will see four files (**cert.pem,chain.pem,fullchain.pem,privkey.pem**) in **/etc/letsencrypt/live/<FQDN>/**
  - Consult the certificate file matrix below on how to use the certificate files.

==== Certificate File Matrix ====
^Apache HTTPS Directive^LetsEncrypt File^Description^
|SSLCertificateKeyFile|privkey.pem|Private key for the certificate.|
|SSLCertificateFile|cert.pem|Server certificate only.|
|SSLCertificateChainFile|chain.pem|All certificates that need to be served by the browser excluding server certificate, i.e. root and intermediate certificates only.|
|--|fullchain.pem|This is what nginx needs for ssl_certificate.|

 --- //[[tschulz@sebeka.k12.mn.us|Thad Schulz]] 2015/12/07 13:54//