Getting the certificate
So far as I can tell, certbot works in the following way:
- Certbot is executed from the web-server CLI, and told to download a cert for
an FQDN. Let's say it's getting a cert from
- Certbot opens up a port, I think 443, and listens for requests from the LetsEncrypt service.
- Certbot calls out to LetsEncrypt's service, letting the service know it's
example.comand ready to prove it owns that domain.
- LetsEncrypt sends some secret, or maybe collects some secret from the listening certbot service, proving that certbot's server does indeed own this domain name.
- LetsEncrypt signs a cert and makes it available. Certbot downloads the cert to the local server.
First, ensure that your DNS A record, such as
example.com, resolves to
the IP address your server is using. This needs to be an internet accessible
IP address, not an internal RFC-1918 address.
This guide assumes you're using Ubuntu Server.
add-apt-repository ppa:certbot/certbot apt-get update apt-get install certbot
Download the certificate
site variable here to your DNS entry which will point to this server.
site="example.com" certbot certonly --standalone --preferred-challenges http -d $site
Use the certificate
You can find the certificates as files on your server.
> cd /etc/letsencrypt/live/$site README cert.pem chain.pem fullchain.pem privkey.pem
Copy these certs to your web service and use them like any other cert.
Note that if you want to use these certs for HAProxy, you need to combine
privkey.pem into a single file.
cat cert.pem privkey.pem > haproxy-$site.pem