Let’s Encrypt makes it easy for any website owner to obtain a free, valid SSL certificate.
How to use
The tool it offers is
certbot (previously named
letsencrypt). To obtain a
cert, we must authenticate ourselves with Let’s Encrypt.
apache: Authenticate using Apache web server.
nginx: Authenticate using Nginx web server.
webroot: Authenticate by writing to root dir of a running web server.
standalone: Authenticate using a standalone web server.
manual: Authenticate manually.
Personally, I found the most useful authenticator is
standalone. It doesn’t
require Apache or Nginx being installed. Nor does it touch webroot of existing
web servers. It also facilitates cert renewal because the standalone web server
configuration is unlikely to change.
To request a cert using the
certbot certonly --standalone -d example.com
If you specify multiple domains, then all of them will be included in the cert.
The generated files are:
cert = /etc/letsencrypt/live/example.com/cert.pem privkey = /etc/letsencrypt/live/example.com/privkey.pem chain = /etc/letsencrypt/live/example.com/chain.pem fullchain = /etc/letsencrypt/live/example.com/fullchain.pem
When configuring web server, use
cert) as the cert and
privkey as the private key.
To renew a cert:
To revoke a cert:
certbot revoke --cert-path /etc/letsencrypt/live/example.com/cert.pem
After revoking a cert,
certbot will ask whether also delete it. Usually you
should choose Yes.
The certbot documentation is here.
How it works
It’s relatively easy to understand how it works. The agent generates a key-pair, sends the public key to Let’s Encrypt CA. It then proves to Let’s Encrypt CA that it owns the domain and the private key by accepting challenges from the CA.
Now the agent has an authorized key-pair. Requesting, renewing and revoking certificates are simple.
Finally, it’s worth noting that: certs from Let’s Encrypt are only valid for 3 months. Thus the website owner needs to renew it regularly to keep them valid.