Let’s Encrypt : The ultimate guide to generate free SSL certificates

Updated on , by Jacky Thierry, in the category #Security & Adminsys

Lets encrypt

About the author

Jacky THIERRY

CTO, Project Manager, Startup owner

Working since 15 years in IT, i managed various web projects for world wide companies, web agencies or local associations. I am specialized in agile projects, with outsourced teams around the world.

  • Jacky Thierry linkedin
  • Jacky Thierry twitter
  • Jacky Thierry instagram
  • Jacky Thierry RSS feed
Jacky Thierry

Discover Let’s Encrypt

1 – What is Let’s Encrypt

Let’s encrypt is a free, automated and open certificate authority.

This is an organization able to deliver SSL certificates, who will be legitimate on the web, for all services, internet browsers, and web tools.

This service is free, so you don’t have to pay for generating certificates. It is actually the first and only organization to give free SSL certificates without any subscription. It’s also automated, so you can script the creation and renewal of your certificates, and never have to worry about it again. And of course, you don’t have to do anything manually.

Let’s encrypt has been released in december 2015, and aim to facilitate the expand of the generation and use of SSL certificates. It gives more freedom to system administrators, allowing them to create certificates in few minutes, and allow people you don’t wanna pay for a certificate to have secured services.

2 – Why you should use Let’s Encrypt

First, i advice to read my beginner’s guide to know everything about SSL, i talk about the different ways to make a SSL certificate. Making a self certificate is only good for tests and personal servers without public accesses, so if you want to have some visibility on internet, you have to get a certificate from an authority.

Let’s Encrypt vs paid authorities. Which one should you use ?

Short answer, the main difference between free Let’s encrypt and paying authorities is assurances. When you buy a certificate, you also buy an assurance (according to the price, each authority has its rules and options) for financial transactions. So if you run an e-commerce website with paying options, i advice you to buy a certificate with an assurance chosen according to the revenues you’re making.

If you don’t have financial transactions on your website, Let’s encrypt is just as good as any other authority, and in my opinion, even better with their automated system to renew certificates. Once it’s installed, you won’t ever have to take care of it, it will renew by itself. Be assured to not having a certificate out of date because you missed the renewal is a major bonus.

3 – Let’s Encrypt Market Share

At the time I’m writing this article, Let’s encrypt delivered almost 50M of active certificates (47.6M certificates in december 2017). A year ago, it was used by 13% of all websites using SSL certificates, which make them ranking in the third place of certificates provider, after Comodo and Symantec (source : you can see this excellent article about Let’s encrypt impact on the SSL market).

In average, around 600K certificates who are generated each day with Let’s encrypt.

Implement Let’s Encrypt

1 – Install Let’s encrypt

First, you need to install the program Let’s encrypt on your computer. This software will allow you to generate your certificates without having to know any OpenSSL’s command line. You will just have to launch it and fill your personal informations (domain name and email). You can install it from its github repository, so you will need GIT on your computer :

apt install git

git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt --depth=1

It’s now available on your computer, in the folder /opt/letsencrypt/.

2 – Generate your SSL certificates

Let’s encrypt will have to communicate with the organization’s main authority, who will check that your domain name is pointing to your computer. So it will require a webserver installed. There is 2 ways : configuring your own webserver to redirect any let’s encrypt request to your program, or using the built-in webserver from the let’s encrypt program.

This second solution is easier to implement, so we will use this one. If you already have a webserver installed (nginx or apache), you will have to stop it down for few seconds.

cd /opt/letsencrypt/

service nginx stop

Now, you can generate your certificates. We will use a 4096 bits RSA key (with the argument rsa-key-size), and indicate our common name (here www.isicca.com), with the argument d. Of course, this domain name must have registered DNS to point to your server.

At the first try, let’s encrypt will download all the necessary packages, you can just let it doing his job.

/opt/letsencrypt/letsencrypt-auto certonly --rsa-key-size 4096 --standalone -d www.isicca.com

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): xxx@isicca.com

-------------------------------------------------------------------------------
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v01.api.letsencrypt.org/directory
-------------------------------------------------------------------------------
(A)gree/(C)ancel: A

-------------------------------------------------------------------------------
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about EFF and
our work to encrypt the web, protect its users and defend digital rights.
-------------------------------------------------------------------------------
(Y)es/(N)o: N
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for www.isicca.com
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/www.isicca.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/www.isicca.com/privkey.pem
Your cert will expire on 2018-03-19. To obtain a new or tweaked
version of this certificate in the future, simply run
letsencrypt-auto again. To non-interactively renew *all* of your
certificates, run "letsencrypt-auto renew"
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
- If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

Your certificates are now generated, and available in the mentioned folder. You will find the fullchain.pem, containing both your public certificate and the authority chain, and the private key privkey.pem.

ls -hal /etc/letsencrypt/live/www.isicca.com/

You can now restart your webserver :

service nginx start

3 – Renew your certificates

With the default configuration, Let’s encrypt certificates have a limit duration time of 3 months. You can of course generate them for a longer period, but at one time, you will have to renew the certificates.

You can either renew all the certificates on your computer, or just choose a specific one to renew. To automatize this process, and renew every month, we will use cron :

vi /etc/crontab

//to renew one certificate every month
00 0 1 * * root service nginx stop && /opt/letsencrypt/letsencrypt-auto certonly --quiet --standalone --renew-by-default -d www.isicca.com && service nginx start
//to renew all certificates
00 0 1 * * root service nginx stop && /opt/letsencrypt/letsencrypt-auto renew --quiet && service nginx start

4 – Configure your certificates in Nginx or Apache

It’s is really easy to implement your let’s encrypt certificates in your webserver. In Nginx, you just need to change the listening port and indicate in your vhost where to find the certificates. The process is the same with Apache, but you will have to activate the module ssl before.

If you don’t already have a webserver installed, i suggest you to read my article on how to install LEMP in 4 steps.

4.1 – Nginx

Edit your vhost with the following parameters.

vi /etc/nginx/sites-available/website

server {
server_name www.isicca.com;
listen 443 ssl;
ssl_protocols TLSv1.2;
ssl_certificate /etc/letsencrypt/live/www.isicca.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/www.isicca.com/privkey.pem;
root /var/www/;
}

4.2 – Apache

First, activate the module SSL, then deactivate the default SSL vhost. Finally, just add this parameters in your configuration.

a2enmod ssl && a2dissite default

vi /etc/apache2/sites-available/website.conf

<VirtualHost *:443>
ServerName www.isicca.com
DocumentRoot /var/www
SSLEngine On
SSLCertificateFile /etc/letsencrypt/live/www.isicca.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/www.isicca.com/fullchain.pem
</VirtualHost>

Then, activate this vhost :

a2ensite website && service apache2 reload

9 expert options to master Let’s encrypt like a pro

1 – Generate certificate for many domains

It is of course possible to generate a single certificate able to manage many domain names. Theses domains can be different ones or just subdomains :

/opt/letsencrypt/letsencrypt-auto certonly --rsa-key-size 4096 --standalone -d www.isicca.com,isicca.com,subdomain.isicca.com,anotherdomain.com

2 – Generate certificate with a wildcard

Wildcards will be supported during 2018.

3 – Use hooks to control your webserver

I like to use command lines to start and stop Nginx, i think it’s up to us to manage our webserver, but Let’s encrypt can manage that for us too (usefull for daemons):

/opt/letsencrypt/letsencrypt-auto certonly --rsa-key-size 4096 --standalone -d www.isicca.com --pre-hook "service nginx stop" --post-hook "service nginx start"

4 – Choose between HTTP and HTTPS for the stand alone server

By default, the built-in webserver in Let’s encrypt is listening on port 80 (HTTP). If you want it to listen the port 443 (HTTPS), you can use this option :

/opt/letsencrypt/letsencrypt-auto certonly --rsa-key-size 4096 --standalone -d www.isicca.com --preferred-challenges tls-sni

5 – Generate certificates from another computer

If you don’t have access to the shell on your production server, you can also generate certificate for another computer, even if the domain name you want to use doesn’t redirect to the computer you use. You can add an entry in your DNS domain name and generate manually the certificate :

/opt/letsencrypt/letsencrypt-auto certonly --rsa-key-size 4096 --standalone -d www.isicca.com --manual --preferred-challenges dns

6 – Add domain names to an existing certificate

You already have a certificate and want to add some domain names to it ? you can do it easily by generating a new certificate with the domain’s names specified :

/opt/letsencrypt/letsencrypt-auto certonly --rsa-key-size 4096 --standalone --cert-name www.isicca.com -d www.isicca.com,isicca.com

7 – Force the renewal of a certificate

If you try to renew a certificate, Let’s encrypt can refuse to do it if it doesn’t consider it necessary. You can force it to renew your certificate with this argument :

/opt/letsencrypt/letsencrypt-auto certonly --quiet --standalone --force-renewal -d www.isicca.com

8 – Revoking a certificate

if your key is compromised, you can revoke the certificate :

/opt/letsencrypt/letsencrypt-auto revoke --cert-path /etc/letsencrypt/live/www.isicca.com/fullchain.pem --reason keycompromise

You can also delete it from your system :

/opt/letsencrypt/letsencrypt-auto delete --cert-name www.isicca.com

9 – Change the rotation’s log value

By default, Let’s encrypt will rotate your log every 1000 entries. if you want to change this value, you can use the following argument :

/opt/letsencrypt/letsencrypt-auto certonly --rsa-key-size 4096 --standalone -d www.isicca.com --max-log-backups 99