On a testing machine I installed over the weekend, I had a chance to give Let’s Encrypt a try.
For those who don’t know, Let’s Encrypt provides free SSL certificates. While several CAs offer them on a domain-validated basis already, Let’s Encrypt is mostly automated from the end-user point of view and issues certificates instantly. Drawbacks is that its certificates expire within three months, and it doesn’t support wildcard certificates (yet).
The Let’s Encrypt client
To get a certificate, you can use their client, which provides various modes, including automatic installation within your webserver. I opted for the manual mode:
- To install the client on your system, clone the respective git repository with
git clone https://github.com/letsencrypt/letsencrypt
- To create a key with 4096 bit in size, create a certificate request with several host names and have the certificate issued, invoke the client via
letsencrypt/letsencrypt-auto certonly --standalone --rsa-key-size 4096 --email email@example.com --domains hostname.your.domain,your.domain,www.your.domain
If you are familiar with their terms of service and agree to them, you can add –agree-tos to the command line to skip the prompt.
- The Let’s Encrypt client now tries to verify the domain(s), so ensure that the DNS A or AAAA records point to your server’s IP before, and that your firewall allows the connection.
- If all went well, the new certificate resides in /etc/letsencrypt/live/your.domain and can be included in your mail, web and other application server. Don’t forget to renew it in due time.
Running a client with system permissions is not everyone’s favorite option – there are several other means of getting your certificates, including a purely web-based (which I didn’t test myself yet).
3 Gedanken zu „My first steps with Let’s Encrypt“
Seems I also managed my first renewal run. Here’s how it worked for me:
1. Stop your web server
letsencrypt/letsencrypt-auto renew --standalone --rsa-key-size 4096 --email firstname.lastname@example.org --dry-run
3. If all goes well, repeat the above, removing –dry-run
4. Restart your web server
5. Enjoy :-)
I got hinted at one caveat: When renewing your certificates, make sure any existing TLSA records match or get updated in time, otherwise the verification will fail.