Lead Image © Stuart Miles, 123RF.com

Lead Image © Stuart Miles, 123RF.com

Getting a free TLS certificate from Let's Encrypt


Article from ADMIN 33/2016
A free TLS certificate from Let's Encrypt means you can add encryption to your network for no cost, so you don't have any more excuses for failing to encrypt.

Let's Encrypt [1] is an open-source project with the goal of making sure every website is encrypting with TLS. The Let's Encrypt project is sponsored by organizations such as Mozilla, Cisco, Akamai, EFF, gandi.net, and many more. The primary role of Let's Encrypt is to offer trusted and free TLS certificates for everyone. Users can even copy and integrate Let's Encrypt technology into their own networks, which means any website can now offer a encrypted option for no cost. On May 8th 2016, Let's Encrypt issued its one millionth certificate.

Building In Trust

Let's Encrypt requires that whoever requests a certificate must prove they control the website for which the certificate is intended. If you wish to receive the certificate for a website, the DNS entry for the domain must point to your IP address in DNS.

To request a certificate for http://www.hanscees.com, I had to run a script on the web server serving http://www.hanscees.com, asking the Let's Encrypt staging-server (LSS) for the certificate. The LSS asks the web server to present a secret file on a subdirectory of the website, checks it, and, if successful, hands over a certificate file. See the Let's Encrypt website for additional information [2].

You can use Let's Encrypt for any website regardless of the web server. For my home-grown sites, I use one ESXI VMware server and deploy pre-installed virtual machines using TurnKey Linux [3], a Debian-based series of pre-configured Linux application hosts. Deploying a new website takes me about 10 minutes.

To secure websites running on Joomla or other web-based applications, I use a front-end reverse-proxy. I recently switched from Nginx to Hiawatha [4] because the Hiawatha configuration makes it extremely easy to protect websites from SQL attacks. A front-end reverse proxy makes using Let's Encrypt much easier: instead of having to use a Let's Encrypt client on every web server, I can renew certificates for many back-end web servers in one script using one machine.

Getting a Free Let's Encrypt SSL/TLS Certificate

Let's Encrypt was a public beta when I wrote this article, and some of the procedures have changed, but this brief introduction will help you get started. Also, keep in mind that you might need to adjust these procedures based on your own configuration.

Consider taking a snapshot of your system or exporting the VM to be sure you can easily revert to the previous configuration in case of a problem.

To set up Let's Encrypt:

cd /root
git clone https://github.com/letsencrypt/letsencrypt
cd letsencrypt
./letsencrypt-auto --server https://acme-v01.api.letsencrypt.org/directory --help

Now get some coffee and wait for a long download.

The first time you get a certificate, you need to run the commands manually, because you need to enter some manual input, such as an email address. Also, make sure you test with the staging server while you're learning how to use Let's Encrypt, because the real server has some built-in limits: if you try too many times, it will block certificate renewal for your domain for a week.

Start with the test server:


After you understand how Let's Encrypt works, you can try this using the production server:


To obtain a non-signed test certificate, change to the letsencrypt directory:

cd /root/letsencrypt

The basic command for obtaining a certificate is:

./letsencrypt-auto certonly -a webroot --webroot-path /srv/www/example.com/ -d example.com -d www.example.com --server https://acme-staging.api.letsencrypt.org/directory

Next, you need to make sure:

  • Your domain (as stated after the -d) is registered in DNS and resolves to the IP address of your web server (or proxy)
  • The webroot path you give in the letsencrypt-auto command is correct, the script can write to that directory, and the web server actually serves that directory.

If you are testing a couple of times, make sure you keep a backup of your Let's Encrypt credentials:

tar -cvzf /root/letsencrypt.tgz /etc/letsencrypt

On my network, I enter:

./letsencrypt-auto certonly -a webroot --webroot-path /var/www/backends/ -d www.test-backend.com --server https://acme-staging.api.letsencrypt.org/directory

After you enter the command, you have to type an email address and agree to the terms of service [5]. If all goes well, you will get a message similar to the output shown in Listing 1.

Listing 1

Successful Certificate

Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/www.test-backend.com /fullchain.pem. Your
   cert will expire on 2016-03-27. To obtain a new version of the
   certificate in the future, simply run Let's Encrypt again.
If you like Let's Encrypt, please consider supporting our work by:
   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

If you are continually testing and getting errors saying the archive directory already exists, you might need to clean up some directories:

cd /etc/letsencrypt/
rm -rf archive/www.test-backend.com*
rm -rf live/www.test-backend.com*
rm -rf renewal/www.test-backend.com*
rm -rf keys/*
rm -rf csr/*

To use the Let's Encrypt certificate with Hiawatha, you need to process the files to the right format:

cd /etc/letsencrypt/live/www.test-backend.com/
cat privkey.pem cert.pem chain.pem > hiawatha-hc.pem
chown www-data:www-data hiawatha-hc.pem
chmod 440 hiawatha-hc.pem

When you have a new certificate, you must restart so the web server can use it:

service hiawatha check
/etc/init.d/hiawatha restart

Now point your browser to the website and see if you get redirected to HTTPS or receive a warning because you are using the test environment and the certificate is not trusted.

Ignore the warnings and have a look at the certificate: mine was signed by "happy hacker fake CA."

A Real Certificate

Now that you have the process working, you can get a trusted certificate signed by Let's Encrypt.

First, clean up the testing stuff:

tar -cvzf /root/letsencrypt.tgz /etc/letsencrypt
cd /etc/letsencrypt/
rm -rf archive/www.test-backend.com*
rm -rf live/www.test-backend.com*
rm -rf renewal/www.test-backend.com*

Next, get a the real signed certificate as follows:

cd /root/letsencrypt
./letsencrypt-auto certonly -a webroot --webroot-path /var/www/backends/ -d www.test-backend.com --server https://acme-v01.api.letsencrypt.org/directory

If a congratulations follows, you can prep the cert (remember this is for Hiawatha, the instructions will vary if you use a different web server):

cd /etc/letsencrypt/live/www.test-backend.com/
cat privkey.pem cert.pem chain.pem > hiawatha-hc.pem
chown www-data:www-data hiawatha-hc.pem
chmod 440 hiawatha-hc.pem

Restart Hiawatha, and you should see your website without HTTPS warnings. If you examine the certificate, you'll see that it says:

Issued by: Let's Encrypt Authority X1

You now have an officially signed and trusted certificate. Your website just became one of many secured sites using Let's Encrypt for a safer internet.

Buy ADMIN Magazine

Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

comments powered by Disqus
Subscribe to our ADMIN Newsletters
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs

Support Our Work

ADMIN content is made possible with support from readers like you. Please consider contributing when you've found an article to be beneficial.

Learn More”>


		<div class=