Let’s Encrypt: Public Beta – Starting with today, Let’s Encrypt is now open for everyone – Update

In the past Let’s Encrypt was only available via an invitation or by signing up to a waiting list. Starting with today Let’s Encrypt entered public beta meaning everybody can now start creating their own free certificates. General information regarding Let’s Encrypt and the differences over other CAs are covered in the article: “Let’s Encrypt initiative enters beta stage on December 3rd 2015“. Now we will start to create our own free domain validated certificates.

Preliminary notes

Let’s Encrypt introduces a now protocoll called “ACME”. Pun may be inteneded. The Let’s Encrypt client communicates via “ACME” with the Let’s Encrypt CA server to start the validation process. The client is already available and easily downloaded using git. This client is able to automatically request and install certificates for all domains used on a server.

Let’s Encrypt certificates are only valid for 90 days. Therefore it’s important to establish a automated renewal process to avoid expired certificates.

Installing the Let’s Encrypt Client

The Client can be downloaded from Github. The current version number is 0.5.0. The git command line tool is needed for that.

The letsencrypt client itself is based on Python. During the first start it attempts to install any required Python packages automatically.

A list of all available options can be displayed using the –help all paramenter.

The various certificate request methods

The Let’s Encrypt client has several modes to request and validate certificates. It can use an Apache PlugIn, a stand alone webserver as well as simple files places in the document root of each domain. Stand alone requires the regular webserver to be shut down, to allow access to port 80 on the machine. All other methods doesn’t require a service interruption.

Automated certificates

If the client ist started without any paramters it will try to guess the type of webserver as well as the configured domains. A list of all the domains found is shown to select the once for which certificates should be requested.

This should be used with caution. If the configuration is a little out of the ordinary, the configuration may fail and has to be fixed manually. Backing up the configuration should be the first step prior to this.

Manual installation with files places in the document root

This working mode simply creates some files in the domains document root folder. This files are read by the CA server to validate the domain and the certificate is issued. This is more or less one of the standard procedures of domain validated certificates besides sending mails to postmaster@domain.tld.

There might be an issue if the domain uses rewrites because of search engine friendly URLs. In that case the CA server might not be able to read the files.

The certonly tells the client to not install the certificates. The option webroot (servers document root) tells to store the files in the document root folder of domain domain.tld. If the client cannot found the document root it can be specified using –webroot-path=/var/www/…

The certificate will then be stored in /etc/letsencrypt/live/domain.tld/. With the same methode the certificate for this blog was issued as well.

Multiple domains and subdomains.

We can also create a cert for multiple domains

The standalone mode

To avoid any problems regarding the webserver software, the client can also work in standalone mode, simulating a webserver.

For this to work, the letsencrypt client must be able to bind to TCP port 80 on our server. Meaning the “real” webserver has to be shut down during the certification process.


Renew certificates automatically

Because of the live time of 90 days a automated renewal process is in order. It’s not exactly clear who this will work in the future. Theoretically the client still knows which options where used during the creation of a certificate.  A  letsencrypt-auto -d domain.tld should be enough the renew the certificate.

The following simple PHP script uses that and tries to renew certificate that will expire soon.

Simple Let’s Encrypt renewal script

Currently this script doesn’t check if the renewal was successful. Also it only renews the certificates and not the configuration files. But at least itreloads Apache if any changes where made.



Leave a Reply