Let’s Encrypt

This guide will show you how to get free certificates using Let’s Encrypt.

While Let’s Encrypt provide scripts that are able to edit your webserver configuration files, I don’t trust anyone enough to do that. Let’s Encrypt scripts will only be used to create and renew certificates.

Let’s Encrypt is still a very young project. While certificate creation is working pretty well, scripts are still changing rapidly. Stay tuned and be prepared to update your configuration.

Prerequisite
This guide assume that you have an Nginx server running and listening on port 80.

The certificates can be then used for other purposes, like email server. Nginx is only used for the renewal process.

Installation
If you are using Debian Jessie, you will need to configure jessie-backports source for the following command to work.

Register Account
Although not mandatory, it is recommended to provide an email when registering your account. Make sure you enter it right as Let’s Encrypt will not validate it. The error about missing parameter is normal. You should be looking at the IMPORTANT NOTES section in the output.

Nginx

 * First create folder


 * Create file

Renewal Script
Let’s Encrypt delivers certificates that are valid for 90 days. It make automatic renewal an important part of the setup. They also have a limit of 20 certificates per week per domain.

In order to avoid blocking your domain (in case you need to create a new certificate), the following script will renew at most one certificate per run.

Certificates are renewed 30d before expiry. Additionally, if a certificate is close to expiry (20 days) a warning will be displayed with details.


 * Save the following file as  and make it executable


 * You can then run it automatically during the night. Add this to the file

Web Server
Let’s encrypt require a website to work on port 80 before delivering a certificate for your domain.

If you are creating a certificate for a website, you simply need to first create the configuration for Nginx.

If your certificate is not intended for the web (SMTP, IMAP, Jabber…), you can create a dedicated config in Nginx

Edit the file as bellow. There should be one  per domain in your certificates. Note that this configuration need to stay in place after you got the certificate as certificates are renewed automatically every 60 day.

Make sure you reload Nginx config

Certificate
Now, you just need to add your certificate to the  list in. Each certificate is represented y a dict with two keys:
 * The list of domains to be included in the certificate. The order is important as the first is domain is used for certificate file name.
 * The list of domains to be included in the certificate. The order is important as the first is domain is used for certificate file name.


 * List of commands to be executed after certificate creation. Each command is represented by a list: first item is the command, next ones are arguments.
 * List of commands to be executed after certificate creation. Each command is represented by a list: first item is the command, next ones are arguments.

Here are some examples:

And finally just get you certificate

Note that the command will create only one certificate per execution. If you added multiple of them, you need to run the command multiple times.

Revoke Certificate
If it has been possible for someone to access the private key of one of your certificate, it is strongly recommended to revoke it.

Identify the Certificate to Revoke
The first thing to do if to know which certificate you want to revoke. This will give you the path of the currently active certificate in the  folder.

Renew the Certificate
If the certificate you want to revoke is active, you need to renew it before revoking it

Revoke the Old Certificate
Use the path found at step 1 The command doesn't output anything in case of success.