My First "Let's Encrypt" Cert
Posted on 2016-01-21
Now that it is in beta, I decided that I should request HTTPS certificates through the new Let's Encrypt certificate authority. It is free, secure, and provides a unique way of requesting certificates.
I am installing these certificates on my VPS, which is running the following software:
- Debian 8, "Jessie"
- Nginx 1.6.2
The process also requires the following supporting software:
- Python 2.6+
Here are the steps I took to get my TLS certificate:
Step 1: Clone the Let's Encrypt software
Fairly straightforward, but you need to clone the Let's Encrypt client software before we can begin. I used the following command:
git clone https://github.com/letsencrypt/letsencrypt.git
Step 2: Install Let's Encrypt client
Before we do anything else, you should probably get a root prompt going. Installing and running Let's Encrypt requires you to be root, due to where the certificates are stored and what permissions they are set up with.*
Either log in as root, or use
sudo -i to get a root prompt. Then, let's set up the client software. I believe this prompts for your email address, and sets up a basic configuration for you.
cd letsencrypt ./letsencrypt-auto
I ran into issues with this step because I only had python 3 installed. After installing all of the python 2 versions of libraries and programs, it worked great.
Optional: Manually edit the configuration
There is a configuration file,
/etc/letsencrypt/cli.ini that contains some defaults that you can tweak. I set the RSA key length to 4096, and the utility had already added my email address.
rsa-key-size = 4096 email = email@example.com
Step 3: Use the utility to request a certificate
The only thing left is to request a certificate. The Let's Encrypt utility installs itself into a virtualenv - a sandbox for python programs - so we have to start by activating that.
cd /root/.local/share/letsencrypt/bin source activate
Once you activate the virtualenv, you should see a
(letsencrypt) on the front of your prompt.
From there, I put together a command that would request a certificate, without trying to modify any web server configuration files, using the location of the website's web root to verify that I control the domain.
./letsencrypt certonly -d example.com --webroot -w /var/www/example.com
certonlymeans only request the certificate, don't mess with any configuration files
-d example.comspecifies which domain you'd like to request a certificate for
--webrootuses your existing web root to verify your domain, so that you don't have to turn off your web server
-w /var/www/example.compoints to that web root
If all is successful, you should now have a certificate present in
/etc/letsencrypt/live/example.com/! I set my web server up to use
fullchain.pem, because it includes all of the appropriate chaining certificates that the browser needs to validate your setup.
* I could be wrong about this; if I figure out a way to do this without being root, I'll update this post.
Tags: python linux browsers networking server