My first steps with Let’s Encrypt

A first look at the Let’s Encrypt Certificate Authority including a walkthrough how to create your first SSL certificate

On a testing machine I installed over the weekend, I had a chance to give Let’s Encrypt a try.

Let's Encrypt
Let’s Encrypt


For those who don’t know, Let’s Encrypt provides free SSL certificates. While several CAs offer them on a domain-validated basis already, Let’s Encrypt is mostly automated from the end-user point of view and issues certificates instantly. Drawbacks is that its certificates expire within three months, and it doesn’t support wildcard certificates (yet).

The Let’s Encrypt client

To get a certificate, you can use their client, which provides various modes, including automatic installation within your webserver. I opted for the manual mode:

  1. To install the client on your system, clone the respective git repository with
    git clone
  2. To create a key with 4096 bit in size, create a certificate request with several host names and have the certificate issued, invoke the client via
    letsencrypt/letsencrypt-auto certonly --standalone --rsa-key-size 4096 --email --domains hostname.your.domain,your.domain,www.your.domain

    If you are familiar with their terms of service and agree to them, you can add –agree-tos to the command line to skip the prompt.

  3. The Let’s Encrypt client now tries to verify the domain(s), so ensure that the DNS A or AAAA records point to your server’s IP before, and that your firewall allows the connection.
  4. If all went well, the new certificate resides in /etc/letsencrypt/live/your.domain and can be included in your mail, web and other application server. Don’t forget to renew it in due time.


Running a client with system permissions is not everyone’s favorite option – there are several other means of getting your certificates, including a purely web-based (which I didn’t test myself yet).

Autor: Florian Effenberger

Florian engagiert sich seit über 18 Jahren für freie Software und ist einer der Gründer der The Document Foundation, der Stiftung hinter LibreOffice

3 Gedanken zu „My first steps with Let’s Encrypt“

  1. Seems I also managed my first renewal run. Here’s how it worked for me:

    1. Stop your web server
    2. letsencrypt/letsencrypt-auto renew --standalone --rsa-key-size 4096 --email --dry-run
    3. If all goes well, repeat the above, removing –dry-run
    4. Restart your web server
    5. Enjoy :-)

Schreibe einen Kommentar

Ich stimme der Datenschutzerklärung zu