Let’s Encrypt makes it easy for any website owner to obtain a free, valid SSL certificate.

How to use

The tool it offers is certbot (previously named letsencrypt). To obtain a cert, we must authenticate ourselves with Let’s Encrypt. certbot supports several authenticators:

  • apache: Authenticate using Apache web server.

  • nginx: Authenticate using Nginx web server.

  • webroot: Authenticate by writing to root dir of a running web server.

  • standalone: Authenticate using a standalone web server.

  • manual: Authenticate manually.

Personally, I found the most useful authenticator is standalone. It doesn’t require Apache or Nginx being installed. Nor does it touch webroot of existing web servers. It also facilitates cert renewal because the standalone web server configuration is unlikely to change.

Request

To request a cert using the standalone authenticator:

certbot certonly --standalone -d example.com

If you specify multiple domains, then all of them will be included in the cert.

The generated files are:

cert = /etc/letsencrypt/live/example.com/cert.pem
privkey = /etc/letsencrypt/live/example.com/privkey.pem
chain = /etc/letsencrypt/live/example.com/chain.pem
fullchain = /etc/letsencrypt/live/example.com/fullchain.pem

When configuring web server, use fullchain (not cert) as the cert and privkey as the private key.

Renew

To renew a cert:

certbot renew

If behind a CDN (e.g. Cloudflare):

certbot renew --preferred-challenges http-01

Revoke

To revoke a cert:

certbot revoke --cert-path /etc/letsencrypt/live/example.com/cert.pem

After revoking a cert, certbot will ask whether also delete it. Usually you should choose Yes.

Documentation

The certbot documentation is here.

How it works

It’s relatively easy to understand how it works. The agent generates a key-pair, sends the public key to Let’s Encrypt CA. It then proves to Let’s Encrypt CA that it owns the domain and the private key by accepting challenges from the CA.

Now the agent has an authorized key-pair. Requesting, renewing and revoking certificates are simple.

Finally, it’s worth noting that: certs from Let’s Encrypt are only valid for 3 months. Thus the website owner needs to renew it regularly to keep them valid.