User Tools

Site Tools


LetsEncyrpt on Ubuntu

  • There are some important factors to consider when using LetsEncyrpt certificates
  1. LetsEncyrpt tires to setup a HTTP or HTTPS server to validate your domain and accordingly port 80 and 443 need to be open for LetsEncyrpt to connect to these ports before they will give you a certificate.
  2. LetsEncyrpt certificates have a life of 3-4 months so they need to be renewed every three months.
  3. The entire process is done through the command line/curses client on the server running the web server
  4. On Ubuntu I had to install the certificates manually
  5. Currently you can only have 5 certs for every domain per 7 day window

Install LetsEncrypt client

  1. Install Git
    apt-get install git
  2. Download client source
    git clone
  3. Run Client
    cd letsencrypt

Getting Your first Certificate

  • Let's assume that you have a standard webroot server running on port 80 (Apache, Lighthttpd, Ngnix)
  • In this case it makes sense to run letsencrypt-auto using http and webroot domain verification.
  1. To use port 80 use the following arguments
    --standalone-supported-challenges http-01
  2. To use webroot verification use the following arguments
    --webroot --webroot-path /var/www/html

    replace /var/www/html with your document/web root

  3. Finally add the following for manual certificate installation
  4. Here is an example command
    letsencrypt-auto certonly --standalone-supported-challenges http-01 --webroot-path /var/www/ --webroot
  5. You will be asked for a email address and a domain name in the curses interface enter them and if all goes well you should get a certificate file.
  6. If successful you will see four files (cert.pem,chain.pem,fullchain.pem,privkey.pem) in /etc/letsencrypt/live/<FQDN>/
  7. Consult the certificate file matrix below on how to use the certificate files.

Certificate File Matrix

Apache HTTPS DirectiveLetsEncrypt FileDescription
SSLCertificateKeyFileprivkey.pemPrivate key for the certificate.
SSLCertificateFilecert.pemServer certificate only.
SSLCertificateChainFilechain.pemAll certificates that need to be served by the browser excluding server certificate, i.e. root and intermediate certificates only.
fullchain.pemThis is what nginx needs for ssl_certificate.

Thad Schulz 2015/12/07 13:54

web_services/letsencrypt.txt · Last modified: 2015/12/07 13:54 by tschulz