Obtaining and Using an SSL Certificate Using Let's Encrypt

3 minute read Published:

We’ll be using Let’s Encrypt in order to obtain and use - in a web server, for example - an SSL certificate for our domain.

Let’s Encrypt is a free, automated, and open certificate authority brought to you by the non-profit Internet Security Research Group (ISRG).

This will be done through certbot. Setting it up is as trivial as cloning the Git repository and running the certbot-auto file. Initial set-up1 is left as an exercise for the reader.

Certbot has three main commands: run, certonly, and renew:

  • run will obtain & install a certificate in your web server
  • certonly will obtain or renew a certificate, but doesn’t install
  • renew only renews the previously obtained certificates that are near the expiry date

Certbot lets you authenticate and install a certificate in 5 ways: through an Apache plugin, an Nginx plugin, through a standalone web server, by placing a validation file in a desired web root, or manual, in a more interactive way.

I’m going to use certonly and --webroot for this tutorial, as I don’t want it to tamper with my web server1, nor do I want to stop & start the web server, as certbot needs port 80 open when running the standalone server. I’m also going to use the certificate in more than one place afterwards.

My command will look like this: ./certbot-auto certonly --webroot -d domain.tld --webroot-path /var/www/domain.tld

After a successful run, you’ll pretty much be greeted by this:

λ ./certbot-auto certonly --webroot -d domain.tld --webroot-path /var/www/domain.tld
Requesting root privileges to run certbot...
  /home/user/.local/share/letsencrypt/bin/letsencrypt certonly --webroot -d domain.tld --webroot-path /var/www/domain.tld
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for domain.tld
Using the webroot path /var/www/domain.tld for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/001_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/001_csr-certbot.pem

 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/domain.tld/fullchain.pem. Your cert will
   expire on 2017-05-27. To obtain a new or tweaked version of this
   certificate in the future, simply run certbot-auto again. To
   non-interactively renew *all* of your certificates, run
   "certbot-auto renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

You can find the newly created certificates in /etc/letsencrypt/live/domain.tld/ directory, which contains the following files: cert.pem, chain.pem, fullchain.pem, privkey.pem, and lastly, README.

A basic Nginx configuration for setting up an SSL domain looks like this:

# Redirect HTTP to HTTPS
server {
    listen 80;
    listen [::]:80;

    server_name domain.tld;

    return 301 https://$server_name$request_uri;
# Main config
server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    server_name domain.tld;

    ssl on;
    ssl_certificate /etc/letsencrypt/live/domain.tld/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/domain.tld/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/domain.tld/chain.pem;

    root /var/www/domain.tld;
    index index.html;

And that’s it. Check Nginx’s config with nginx -t to check for typos or errors, link the config to sites-enabled, restart it, and you’re done.

This should be enough to get you started.

  1. Via certbot –help: Although –dry-run tries to avoid making any persistent changes on a system, it is not completely side-effect free: if used with webserver authenticator plugins like apache and nginx, it makes and then reverts temporary config changes in order to obtain test certs, and reloads webservers to deploy and then roll back those changes.