Let's Encrypt certificates!

on captainepoch's log

As you may know I am a little concern about my privacy. And you should too, because your data, your life. So, in order to provide a secure and private connection to my sites, I needed a SSL certificate, which it is too expensive. Of course there are free solutions, but they do not provide a reliable SSL certificate or free wildcard support.

Then, Let’s Encrypt appeared in this game. They provide an Open Source, free, reliable SSL certificates for your websites. It is wonderful! So, my friend Rafa and me asked for the beta (Let’s Encrypt will be relased for the public on 16th november’s week).

After the private beta period, on 3rd december Let’s Encrypt relased the Open Beta program, which you can see here.

Set up

Let’s do it!

What do you need?

In order to generate your certs, you will need some stuff:

  • Python (because of the local server)
  • Git (to clone Let’s Encrypt’s repo)
  • Patient, because, why not?
  • Coffee (the most important part of this process) :)

Download the software

I, like Rafa, chose to download the software and generate all the files locally, so in your computer, you have to do:

$ git clone https://github.com/letsencrypt/letsencrypt

It contains the tools you will need to generate your certificates. Remember that certs have 90 days of lifetime, so each 3 months, more or less, you must update it!.


I changed the way I generated the last certificate, so I could do in just one line on the terminal:

$ ./letsencrypt-auto certonly --manual --email YOUR_EMAIL -d DOMAIN_1 [-d DOMAIN_2, ...]

I usually do it at my main machine with ArchLinux or in my MacBook Pro, but if you do at FreeBSD or Amazon Linux Ami, it is the same command with the --debug flag:

$ ./letsencrypt-auto certonly --debug --manual --email YOUR_EMAIL -d DOMAIN_1 [-d DOMAIN_2, ...]

Let’s going to explain this:

  • letsencrypt-auto is the app for generating the certs. It has some parameters you can use, but we only need three.
  • certonly is for generate the certs locally. Note that we did from the start of this post, and it is not going to change, because I like so.
  • --email YOUR_EMAIL prevents to get the screen and put your email.
  • -d DOMAIN_1 puts all the domains you want in the certificate. You can put whatever domain you want, without restrictions. So, I put 3, but you could put 10 (always with the -d).

This will setup the virtual environment that letsencrypt will use in all future executions. Once that is done, you are asked to run a few commands on the server in order to get the auth to validate the cert(s). Follow the instructions to put the token into your server, they are clear.

After that you need to release the 80 port. Why? Because all the petitios to validate the cert will be done there. So:

$ sudo service nginx stop

Obviously, you will have a little downtime. But no worries! It is for your users, and that is the most important part of a website!

And then run this command (note it has to be run as root, and I still do not know why…):

$ sudo $(command -v python2 || command -v python2.7 || command -v python2.6) -c "import BaseHTTPServer, SimpleHTTPServer;s = BaseHTTPServer.HTTPServer(('', 80), SimpleHTTPServer.SimpleHTTPRequestHandler);s.serve_forever()"

Then, in Terminal, press Enter after doing the steps Let’s Encrypt told you, et voil√°!, authenticated and certificate generated (do the same steps for every domain you put, it is important because each domain generate its own token). The server is not needed anymore, so simply interrupt its execution.

Copying to the server

Given that I am generating the certificate in my own computer instead of in the server itself, I have to copy things around. The letsencrypt tool tells you that your certificates live in /etc/letsencrypt/live/YOUR_DOMAIN. The files there are actually symbolic links to /etc/letsencrypt/archive/YOUR_DOMAIN/fileX.pem.

Now, I am just going to copy two files to the server, because once you put 3 or 4 domains, they use the same certificate. Here is the files you have to copy to the server:

fullchain.pem ~> /etc/ssl/adol_pw.pem
privkey.pem ~> /etc/ssl/adol_pw.key

Nginx setup

I do not use Apache, so I do not know how to make it work there

Edit the file you want to incorporate the SSL certificate (in my case it is main’s website config):

server {
    listen 80;
    server_name adol.pw;

    return 301 https://$host$request_uri$is_args$args;

server {
    listen 443 ssl;
    server_name adol.pw;

    ssl on;
    ssl_certificate /etc/ssl/adol_pw.pem;
    ssl_certificate_key /etc/ssl/adol_pw.key;

As you might see, I (like Rafa, again) chose to do a redirect if you access by http instead of https, and at ssl_certificate and ssl_certificate_key put the path for your certificate files. Now, do a:

$ sudo service nginx start

And you have now a valid, reliable and free SSL certificate!

Adding new domains

If you did everything but you forgot adding another domain, simply run everything again but with another -d DOMAIN_N flag.


Recently I had to renew certs for the domains I registered the first time. If you try to renew with the system I posted here, it fails. A fix for that is renewing the certs by running this:

$ ./letsencrypt-auto renew --manual-public-ip-logging-ok

Why? I do not know. But @rmed_dev told me that it does not fail. If you execute without that flag, it is going to say this:

2016-02-28 08:43:21,803:WARNING:letsencrypt.cli:Attempting to renew cert from /etc/letsencrypt/renewal/adol.pw.conf produced an unexpected error: Missing command line flag or config entry for this setting:
NOTE: The IP of this machine will be publicly logged as having requested this certificate. If you're running letsencrypt in manual mode on a machine that is not your server, please ensure you're okay with that.

Are you OK with your IP being logged?

(You can set this with the --manual-public-ip-logging-ok flag). Skipping.


This tutorial is provided by Rafael aka @rmed_dev, which with his permission I publish here. I modified to adapt it to my website and improvements, by the way. Thank you for making it!

Also, thank you, Tak, for the command for FreeBSD and Amazon Linux Ami and the corrections you made to this article!

And finally, thank you, Let’s Encrypt, for making the private beta available for me. I am waiting for the final and public release too!

UPDATE 20-OCT-2021: Install Certbot, this guide might be outdated.

UPDATE 28-FEB-2016: Added “Adding new domains” and Renewal". Some typos."

UPDATE 09-DIC-2015: Minor fixes.

UPDATE 04-DIC-2015: On 3rd december, Let’s Encrypt went to open beta for the public, so I changed many stuff here to adapt to the new commandline and the text itself.