Let’s Encrypt
Let’s Encrypt is a free, automated, and open certificate authority. It provides tools to request valid ssl certificates straight from the command line.
Installation
Install the letsencrypt package.
Automated configuration and installation of the issued certificates in web servers is provided by plugins:
- The experimental plugin for Nginx is provided with the letsencrypt-nginx package.
- Although a package letsencrypt-apache exists, automated installation using the Apache HTTP Server is currently only supported on Debian and derivatives.
Configuration
Please consult the Let’s Encrypt client documentation on how to create and install certificates. This wiki will be expanded as soon as certificate installation methods have been crystallized out.
Manual
If there is no plugin for your web server, use the following command:
# letsencrypt certonly --manual
This will automatically verify your domain and create a private key and certificate pair. These are placed in /etc/letsencrypt/live/your.domain/
.
You can then manually configure your web server to use the key and certificate in that directory.
Webroot
You can use the webroot method to get/renew certificates with a running webserver (e.g. Apache/nginx).
/etc/systemd/system/letsencrypt.service
[Unit] Description=Let's Encrypt renewal [Service] Type=oneshot ExecStart=/usr/bin/letsencrypt certonly --agree-tos --renew-by-default --email email@example.com --webroot -w /path/to/html/ -d your.domain
Make sure the server configuration for the certificates points to /etc/letsencrypt/live/your.domain/
.
Before adding a timer, check that the service is working correctly and not trying to prompt anything.
Then, you can add a timer to renew the certificates monthly.
/etc/systemd/system/letsencrypt.timer
[Unit] Description=Monthly renewal of Let's Encrypt's certificates [Timer] OnCalendar=monthly Persistent=true [Install] WantedBy=timers.target
Enable and start letsencrypt.timer
. Also start letsencrypt.service
if you want to renew the certificates right now.
You'll probably want your web server to be restarted after each certificate renewal. You can realize that by adding one of these lines to the letsencrypt.service
file:
- Apache:
ExecStartPost=/usr/sbin/systemctl restart httpd.service
- nginx:
ExecStartPost=/usr/sbin/systemctl restart nginx.service