====== LetsEncyrpt on Ubuntu ======
* There are some important factors to consider when using LetsEncyrpt certificates
- LetsEncyrpt tires to setup a HTTP or HTTPS server to validate your domain and accordingly port 80 and 443 need to be open for LetsEncyrpt to connect to these ports before they will give you a certificate.
- LetsEncyrpt certificates have a life of 3-4 months so they need to be renewed every three months.
- The entire process is done through the command line/curses client on the server running the web server
- On Ubuntu I had to install the certificates manually
- Currently you can only have 5 certs for every domain per 7 day window
===== Install LetsEncrypt client =====
- Install Gitapt-get install git
- Download client sourcegit clone https://github.com/letsencrypt/letsencrypt
- Run Clientcd letsencrypt
./letsencrypt-auto
===== Getting Your first Certificate =====
* Let's assume that you have a standard webroot server running on port 80 (Apache, Lighthttpd, Ngnix)
* In this case it makes sense to run letsencrypt-auto using **http** and **webroot** domain verification.
- To use port 80 use the following arguments --standalone-supported-challenges http-01
- To use webroot verification use the following arguments--webroot --webroot-path /var/www/htmlreplace **/var/www/html** with your document/web root
- Finally add the following for manual certificate installationcertonly
- Here is an example command letsencrypt-auto certonly --standalone-supported-challenges http-01 --webroot-path /var/www/ --webroot
- You will be asked for a email address and a domain name in the curses interface enter them and if all goes well you should get a certificate file.
- If successful you will see four files (**cert.pem,chain.pem,fullchain.pem,privkey.pem**) in **/etc/letsencrypt/live//**
- Consult the certificate file matrix below on how to use the certificate files.
==== Certificate File Matrix ====
^Apache HTTPS Directive^LetsEncrypt File^Description^
|SSLCertificateKeyFile|privkey.pem|Private key for the certificate.|
|SSLCertificateFile|cert.pem|Server certificate only.|
|SSLCertificateChainFile|chain.pem|All certificates that need to be served by the browser excluding server certificate, i.e. root and intermediate certificates only.|
|--|fullchain.pem|This is what nginx needs for ssl_certificate.|
--- //[[tschulz@sebeka.k12.mn.us|Thad Schulz]] 2015/12/07 13:54//