Let’s Encrypt is an SSL certificate authority managed by the Internet Security Research Group (ISRG). It utilizes the Automated Certificate Management Environment (ACME) to automatically deploy browser-trusted SSL certificates to anyone for free.
This tutorial will cover the following:
- Installing the Let’s Encrypt ACME client.
- Obtaining Let’s Encrypt certificates.
- Required attention and maintenance.
- Technical details about Let’s Encrypt and certificates issued by it.
As of Feb. 25, 2016, Let’s Encrypt is still in public beta. Although most users have reported success, the ACME client is still being debugged and developed. Do not deploy Let’s Encrypt Public Beta in a production environment without testing it beforehand.
Before you Begin
- Familiarize yourself with our Getting Started guide and complete the steps for setting your Linode’s hostname and timezone.
- Complete our Securing Your Server tutorial to create a standard user account, harden SSH access, and remove unnecessary network services.
- Update your server’s software packages.
sudo yum update && sudo yum upgrade
Debian / Ubuntu
sudo apt-get update && sudo apt-get upgrade
This guide is written for a non-root user. Commands that require elevated privileges are prefixed with
sudo. If you’re not familiar with the
sudocommand, you can check our Users and Groups guide.
Download and Install Let’s Encrypt
- Install the
sudo yum install git
Debian / Ubuntu
sudo apt-get install git
- Download a clone of Let’s Encrypt from the official GitHub repository.
/optis a common installation directory for third-party packages, so let’s install the clone to
sudo git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt
- Position your Bash prompt in the new
Create an SSL Certificate
Let’s Encrypt automatically performs Domain Validation (DV) using a series of challenges. The Certificate Authority (CA) uses challenges to verify the authenticity of your computer’s domain. Once your Linode is validated, the CA will issue SSL certificates to you.
- Run Let’s Encrypt with the
--standaloneparameter. For each additional domain name requiring a certificate, add
-d example.comto the end of the command.
sudo -H ./letsencrypt-auto certonly --standalone -d example.com -d www.example.com
Let’s Encrypt does not deploy wildcard certificates. Each subdomain requires its own certificate.
- Specify an administrative email address. This will allow you to regain control of a lost certificate and receive urgent security notices if necessary. Press TAB followed by ENTER or RETURN to save.
- Agree to the Terms of Service.
- If all goes well, a message similar to the one below will appear. Its appearance means Let’s Encrypt has approved and issued your certificates.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
IMPORTANT NOTES: - If you lose your account credentials, you can recover them through e-mails sent to firstname.lastname@example.org. - Congratulations! Your certificate and chain have been saved at /etc/letsencrypt/live/example.com/fullchain.pem. Your cert will expire on 2016-03-31. To obtain a new version of the certificate in the future, simply run Let's Encrypt again. - Your account credentials have been saved in your Let's Encrypt configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Let's Encrypt, so making regular backups of this folder is ideal. - If you like Let's Encrypt, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
Explore Let’s Encrypt Certificate Directory Structure
- List the
sudo ls /etc/letsencrypt/live
- Each domain name you specified in Step 1 of the Create an SSL Certificate section has its own directory. List any one of these domain name directories:
sudo ls /etc/letsencrypt/live/example.com
1 2 3 4
cert.pem chain.pem fullchain.pem privkey.pem
- Each key (
.pem) file serves a different purpose:
- cert.pem: server certificate only.
- chain.pem: root and intermediate certificates only.
- fullchain.pem: combination of server, root and intermediate certificates (replaces
- privkey.pem: private key (do not share this with anyone!).
- For good measure, display the file status of
sudo stat /etc/letsencrypt/live/example.com/fullchain.pem
File: ‘live/example.com/cert.pem’ -> ‘../../archive/example.com/cert1.pem’
Notice how this file points to a different file, as do all four of the files listed in Step 3. They are symbolic links to the actual certificate files located in the
- If you forget to renew a domain name’s certificate, Let’s Encrypt will remove its directory (and symbolic links) from
/etc/letsencrypt/live. However, the directory (and symbolic links) will be retained in the
/etc/letsencrypt/keysdirectories for your future reference.
Renew SSL Certificates
- Return your Bash prompt to the
- Execute the command you used in Step 1 of the Create an SSL Certificate section, adding the
sudo -H ./letsencrypt-auto certonly --standalone --renew-by-default -d example.com -d www.example.com
- After a few moments, a confirmation similar to the one below should appear:
1 2 3 4 5 6 7 8 9
IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at /etc/letsencrypt/live/example.com/fullchain.pem. Your cert will expire on 2016-03-31. To obtain a new version of the certificate in the future, simply run Let's Encrypt again. - If you like Let's Encrypt, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
Let’s Encrypt has refreshed the lifespan of your certificates; in this case, March 31st, 2016 is the new expiration date.
Let’s Encrypt certificates have a 90-day lifespan before they expire. According to Let’s Encrypt, this encourages automation and minimizes damage from key compromises. You can renew your certificates anytime during their lifespan.
Automate SSL Certificate Renewal (Optional)
Since it’s easy to forget about logging into a remote server, we also recommend automating your certificate renewal. This will prevent your certificates from expiring and can be accomplished with
- Before we execute the following command, let’s break it down and make some modifications:
echo '@monthly root /opt/letsencrypt/letsencrypt-auto certonly --standalone --renew-by-default -d example.com -d www.example.com >> /var/log/letsencrypt/letsencrypt-auto-update.log' | sudo tee --append /etc/crontab
- @monthly: for simplicity, this command will execute at midnight on the first day of every month
- root: run the command as the root user
- /opt/letsencrypt/letsencrypt-auto certonly –standalone –renew-by-default -d example.com -d www.example.com:
letsencrypt-autorenewal command. Again, add
-d example.comfor each domain name you need to renew
- » /var/log/letsencrypt/letsencrypt-auto-update.log: record the standard output and standard error to a log file named
- tee –append /etc/crontab: save the new cron job to the
- Execute your modified command to add the cron job to your Linode.
Once Let’s Encrypt leaves public beta and supports auto-renewal natively, open the
/etc/crontabfile and manually remove this entry to avoid future renewal conflicts.
Update Let’s Encrypt
- Return your Bash prompt to the
- Download any changes made to Let’s Encrypt since you last cloned or pulled the repository, effectively updating it:
sudo git pull
Automate Let’s Encrypt Updates (Optional)
You can also use
cron to keep the
letsencrypt-auto client up to date. The
@weekly parameter will issue a
git pull command in the
/opt/letsencrypt directory every Sunday at midnight.
echo '@weekly root cd /opt/letsencrypt && git pull >> /var/log/letsencrypt/letsencrypt-auto-update.log' | sudo tee --append /etc/crontab
To change the update frequency, choose a different parameter, for example,