Free HTTPS Certs with LetsEncrypt's Certbot
Posted by Kyle Pericak in systems administration
Getting the certificate
So far as I can tell, certbot works in the following way:
- Certbot is executed from the web-server CLI, and told to download a cert for
an FQDN. Let's say it's getting a cert from
example.com
. - Certbot opens up a port, I think 443, and listens for requests from the LetsEncrypt service.
- Certbot calls out to LetsEncrypt's service, letting the service know it's
listening on
example.com
and ready to prove it owns that domain. - LetsEncrypt sends some secret, or maybe collects some secret from the listening certbot service, proving that certbot's server does indeed own this domain name.
- LetsEncrypt signs a cert and makes it available. Certbot downloads the cert to the local server.
Configure DNS
First, ensure that your DNS A record, such as example.com
, resolves to
the IP address your server is using. This needs to be an internet accessible
IP address, not an internal RFC-1918 address.
Install Certbot
This guide assumes you're using Ubuntu Server.
add-apt-repository ppa:certbot/certbot
apt-get update
apt-get install certbot
Download the certificate
Set the site
variable here to your DNS entry which will point to this server.
site="example.com"
certbot certonly --standalone --preferred-challenges http -d $site
Use the certificate
You can find the certificates as files on your server.
> cd /etc/letsencrypt/live/$site
README cert.pem chain.pem fullchain.pem privkey.pem
Copy these certs to your web service and use them like any other cert.
Note that if you want to use these certs for HAProxy, you need to combine
cert.pem
and privkey.pem
into a single file.
cat cert.pem privkey.pem > haproxy-$site.pem