Posts Tagged ‘ssl’

All about Let’s encrypt

August 23rd, 2016 No comments

Let’s encrypt – is a free service from google, who allows issue SSL certificates for web projects. Letsencrypt has its own API, through which easily automate the process of re-issue of certificates at the end of their period of validity. Each certificate issued Letsencrypt valid for three months. After that you need issue it again. However, this may occur automatically. Letsencrypt has many implementations to access its API. There is clients written on perl, python, C, bash and also browser clients. I decided use the most simple solution – shell-script called He is able to do all the required things, and does not require installation of additional software system, which is often quite difficult for older systems like FreeBSD.


As described above, we will use script. It is compatible with FreeBSD and all popular distributions of Linux. No need to install additional software, libraries and interpreters.

Download and install

Using curl

curl | sh


wget -O - | sh

Or using git

git clone
cd ./
./ --install

–install command adding to actual user cron task, which will run few times per week for update sertificates and itself. lets’encrypt ssl sertificates valid 3 months, so cron task is a really important one thing here. I’d recoment do it from user, which can use web-server. For example www-data, or www. or nginx. It depends from your server settings. Anyway it must have write acces to your website directory.

Request sertificate

Below – few fays to get sertificates for domain, and ways to authorise your domain in acme servers.

web-request method

First method – most useful and simple, it allows to get a valid one sertificate for your website immideatley. In two words it is script which sends request to get sertificate for domain, and in the same moment generates csr-request. The server acme answers and give to our script some code, that must be seen from our server and domain. Finally acme server  will connect to your domain, find there html-file with code that was sended to script and make auth succeful. After that, you will receive ssl-serteficate.
So, let’s begin practice. If you use nginx, you have to add one location to your web-site config:

location /.well-known/acme-challenge {
default_type "text/html";

Explaination. While authorisation, script for a few seconds puts file with path  / , and after that acme check it – if file available from web-server then acme will give serteficate to you. So now, if all terms was completed, we can do serteficate request: --issue -d -w /usr/local/www/

As you can see from command above, we ask script request with –issue key, for domain with -d key, -w declare our project folder. And because of that really important to make sure, that user, from which you ran script can write to website folder. After success authorisation, this file will be deleted by script automaticly. So. i’d like to say that it apears in website folder just for a few seconds.

After command run, in script folder, you will see sertificates: fullchain.cer – serteficate, а – key for that. Our serteficate have all needed intermediate and root serteficates, and works without password. So no necessary to do somethinf more – just add it to ypur web server an enjoy your ssl.

DNS authorisation method

This can be useful in few cases. First one – when serteficate needed be added to domain in internal network. For example, i can make DNS-A record to any domain, but with ip . So in that case this method will be very useful. In this case first method will not work because internal ip cannot be listen by acme servers. If you want use this method, you should add some A-record in DNS for your domain with authorisation key. Authorization key you can receive from script. Make request: --issue --dns -d --dnssleep 2400

After that command, script print next information (i’ve changed it special for this article):

You should get the output like below:

Add the following txt record:
Txt value:9ihDbjYfTExAYeDBHTrecgvrve5o18KBzwvTEjUnSwd32-c

Please add those txt records to the domains. Waiting for the dns to take effect.

So it means that you should add  RR TXT-record to domain with name and value 9ihDbjYfTExAYeDBHTrecgvrve5o18KBzwvTEjUnSwd32-c (each request has own value, it’s just example). After that, i’ll recommend you wait about 15-20 minutes, and run next command: --renew -d

acme will check dns record of your dns, and if we did al things correctly, script will give you serteficate. Next steps will same as in first recipe.

Standalone method

I’d not recommend this method to use, because you should turn off your website while script works. In many cases it is very uncomfortable and you may lost your site users. Soo if you wan use it anyway, first turn off your web-server which listen 80 and 433 port in internet.  It will not work without . Next, enter command --issue --standalone -d

You will receive serteficate, so time to turn on web server back.

Another script functions

Script has many useful and good options. You can show all of them – just type  –help. Frome good options script supports update, and also has parameter –sertpath, which allows copy sertificates to nginx folder, for example. While you make request typing command in script, you can use -d key and create request to many domains in one time. In 5-10 domains, if you necessary. Script creates to actual user cron task, which will run few times per week for renew sertificates and update itself.