My First "Let's Encrypt" Cert

Now that it is in beta, I decided that I should request HTTPS certificates through the new Let's Encrypt certificate authority. It is free, secure, and provides a unique way of requesting certificates.

I am installing these certificates on my VPS, which is running the following software:

• Debian 8, "Jessie"
• Nginx 1.6.2

The process also requires the following supporting software:

• Git
• Python 2.6+
• virtualenv
• pip

Here are the steps I took to get my TLS certificate:

Step 1: Clone the Let's Encrypt software

Fairly straightforward, but you need to clone the Let's Encrypt client software before we can begin. I used the following command:

git clone https://github.com/letsencrypt/letsencrypt.git

Step 2: Install Let's Encrypt client

Before we do anything else, you should probably get a root prompt going. Installing and running Let's Encrypt requires you to be root, due to where the certificates are stored and what permissions they are set up with.*

Either log in as root, or use sudo -i to get a root prompt. Then, let's set up the client software. I believe this prompts for your email address, and sets up a basic configuration for you.

cd letsencrypt
./letsencrypt-auto

I ran into issues with this step because I only had python 3 installed. After installing all of the python 2 versions of libraries and programs, it worked great.

Optional: Manually edit the configuration

There is a configuration file, /etc/letsencrypt/cli.ini that contains some defaults that you can tweak. I set the RSA key length to 4096, and the utility had already added my email address.

rsa-key-size = 4096                                                                                        
email = you@example.com

Step 3: Use the utility to request a certificate

The only thing left is to request a certificate. The Let's Encrypt utility installs itself into a virtualenv - a sandbox for python programs - so we have to start by activating that.

cd /root/.local/share/letsencrypt/bin
source activate

Once you activate the virtualenv, you should see a (letsencrypt) on the front of your prompt.

From there, I put together a command that would request a certificate, without trying to modify any web server configuration files, using the location of the website's web root to verify that I control the domain.

./letsencrypt certonly -d example.com --webroot -w /var/www/example.com

• certonly means only request the certificate, don't mess with any configuration files
• -d example.com specifies which domain you'd like to request a certificate for
• --webroot uses your existing web root to verify your domain, so that you don't have to turn off your web server
• -w /var/www/example.com points to that web root

If all is successful, you should now have a certificate present in /etc/letsencrypt/live/example.com/! I set my web server up to use fullchain.pem, because it includes all of the appropriate chaining certificates that the browser needs to validate your setup.

* I could be wrong about this; if I figure out a way to do this without being root, I'll update this post.

Tags: python linux browsers networking server

Comments

Add Your Comment