Knowledge Base

How to secure a semi-managed server with a Let's Encrypt SSL certificate

This article describes how to use Let's Encrypt to automatically generate and install an SSL certificate on a semi-managed server.

To run the procedures described below, you must have root access to the server. Therefore, Let's Encrypt only works on semi-managed servers, not managed servers.

About Let's Encrypt

Let's Encrypt is part of an initiative to encrypt as much World Wide Web traffic as possible. It is designed to make the creation and installation of SSL certificates a simple process that can be done with just a few commands.

Let's Encrypt is no longer in public beta testing, and its certificates are suitable for use on production sites.

Using Let's Encrypt

To generate and install an SSL certificate, you must download and run the Let's Encrypt client application.

Automatic SSL certificate generation and installation currently only works on Debian and Ubuntu distributions, and with the Apache web server. The procedure below assumes that you are running Apache on Debian or Ubuntu.

To install an SSL certificate using Let's Encrypt, follow these steps:

  1. Log in to your server using SSH, and then switch to the root user account.
  2. To install the Git version control system, type the following command:
    apt-get install git
  3. To download the latest version of Let's Encrypt, type the following command:

    git clone https://github.com/letsencrypt/letsencrypt
  4. Type the following commands:

    cd letsencrypt
    ./letsencrypt-auto
    The Let's Encrypt client downloads and installs several packages.
  5. When the agreement appears, press Enter to accept it.
  6. To specify the server name manually, press Enter.
  7. In the text box, type your domain name (for example, www.example.com) and then press Enter.

    Make sure you include the www prefix.
  8. In the Enter email address text box, type an e-mail address where you can receive messages from Let's Encrypt, and then press Enter.

    It is important to provide a valid e-mail address so you can receive important notices and if necessary, recover lost keys.
  9. Review the terms of service, and then press Enter. Let's Encrypt generates and installs the SSL certificate.
  10. When installation is complete, you receive the following message:

    Congratulations! You have successfully enabled https://www.example.com!
    
    You should test your configuration at: https://www.ssllabs.com/ssltest/analyze.html?d=www.example.com
  11. Press Enter. The Let's Encrypt client displays configuration information about your installation before it exits.

    Let's Encrypt issues certificates that are valid for 90 days. To renew a certificate, run the letsencrypt-auto script again.

 

More Information

For more information about Let's Encrypt, please visit https://letsencrypt.org.