
CertBot: Automatically enable HTTPS on your website with Let's Encrypt certs - itherseed
https://certbot.eff.org/
======
wildpeaks
If, like me, you don't want it to modify your configs files for you, and don't
want to turn off the webserver everytime you renew certificates, use _Webroot_
mode.

I updated my guide to setup _Nginx + Ubuntu 16.04 + Let 's encrypt_ (Nginx,
IPv6, HTTP/2, and A+ rating at SLL Labs):

[https://gist.github.com/cecilemuller/a26737699a7e70a7093d4dc...](https://gist.github.com/cecilemuller/a26737699a7e70a7093d4dc115915de8)

I hope it helps those that hesitate to use Let's encrypt.

~~~
JelteF
Another good method is to use [https://github.com/diafygi/acme-
tiny](https://github.com/diafygi/acme-tiny) and the ciphers from
[https://cipherli.st](https://cipherli.st)

~~~
JoshTriplett
I used acme-tiny to secure several domains on my server, including automated
renewal via cron, running as an unprivileged user that only has access to the
CSR, the ACME auth key, and the directory /.well-known/acme maps to, but _not_
the server private key. Took about an hour to secure three domains, most of
which was convincing OpenSSL to produce the right three CSRs with
SubjectAltName set (to cover the "www." variants so I can securely redirect
them).

------
ak217
On AWS, you can also use [https://github.com/alex/letsencrypt-
aws](https://github.com/alex/letsencrypt-aws) \- it works great if you're
using both Route 53 and ELB. It uses the dns-01 challenge, which is out-of-
band - it adds a text record to your DNS instead of needing to inject content
into your server. I prefer that approach.

~~~
tacos
On AWS you can get free SSL certificates from AWS.
[https://aws.amazon.com/certificate-
manager/](https://aws.amazon.com/certificate-manager/)

~~~
ecaron
Only free if you have Elastic Load Balancer running for each domain. If you're
hosting a dozen micro-sites on a box, the Certificate Manager path gets a
little expensive

/me looks at his February bill and remembers the lesson all too well

~~~
themartorana
Also free for static sites hosted on Cloudfront. Doesn't solve your problem,
just thought I'd mention it in the interest of possible interest.

------
orblivion
I am yet to try this, but I never liked the idea that it automatically edits
my nginx config. Seeing that it's in Jesse Backports makes me more confident
that it does something sane, though. However the Jesse instructions don't say
anything about it. Is it that you get asked questions about Nginx when you say
"letsencrypt certonly"? Also strange that it doesn't even seem to require sudo
to run.

~~~
forgotmypassw
You can use the --standalone option to get just the certificate files, so you
can keep your nginx config files as-is however you configured them and just
update the privkey.pem and fullchain.pem files wherever your nginx config
points to look for them. And the --standalone option actually requires sudo
but I guess that's because it puts the certs in /etc/letsencrypt~.

Caution though, the file paths you get after obtaining the certificates are
actually relative symlinks for some reason so if you just copy these symlinks
over they will most likely not point to the correct path so copy the original
files instead.

~~~
acdha
That's how it should work but even --standalone still inspects your web server
config and will refuse to run if any part of that goes wrong. For example, if
you have multiple Apache VirtualHosts in the same file[1] (e.g. a port 80
redirect to the HTTPS site in the same file) any attempt to renew a
certificate will fail with an error.

1\.
[https://github.com/certbot/certbot/issues/1042](https://github.com/certbot/certbot/issues/1042)

~~~
pfg
\--standalone won't inspect your web server configuration. Only the apache
(and nginx, if you enabled it manually) plugin would do that.

~~~
acdha
At least for renewals, it does parse Apache config — I was unpleasantly
surprised by that last week

~~~
pfg
My best guess is that you have previously issued a certificate using the
apache plugin on that system, and the renewal config file for that certificate
is still there.

    
    
      $ echo "BreakThisConfig" > /etc/apache2/sites-enabled/000-default.conf
      $ ./certbot-auto --apache
      2016-05-16 21:33:31,252:ERROR:certbot.le_util:Error while running apache2ctl configtest.
      Action 'configtest' failed.
      The Apache error log may have more information.
      $ ./certbot-auto certonly --standalone -d example.com
      - Congratulations! Your certificate and chain have been saved at
       /etc/letsencrypt/live/example.com/fullchain.pem.
      $ ./certbot-auto renew --force-renewal
      Congratulations, all renewals succeeded. The following certs have been renewed:
      /etc/letsencrypt/live/example.com/fullchain.pem (success)

------
okket
Previous discussion: "Announcing Certbot: EFF's Client for Let's Encrypt"

[https://news.ycombinator.com/item?id=11686984](https://news.ycombinator.com/item?id=11686984)

~~~
therealmarv
I also don't understand why this is again top in HN. The alternatives of
installing certs programs in this linked article are really helpful.

------
savrajsingh
For those of us on App Engine, here's a good set of instructions:
[http://blog.seafuj.com/lets-encrypt-on-google-app-
engine](http://blog.seafuj.com/lets-encrypt-on-google-app-engine)

------
Sir_Cmpwn
I've found the best tool for getting certs from LE is this:

[https://github.com/hlandau/acme](https://github.com/hlandau/acme)

~~~
Freaky
There's something I find really off-putting about a tool that's going to be
managing private keys having dependencies that point to the master branch of
various third party git repositories.

It also unconditionally tries to listen on ports 80, 402, 443, 552 and 4402
whenever it completes a challenge, even if you have absolutely no intention of
using any of these verification methods, so there's a lot of moving parts most
of which you don't want.

I made a FreeBSD port, but thought twice about submitting it:
[https://github.com/Freaky/ports/tree/master/security/acmetoo...](https://github.com/Freaky/ports/tree/master/security/acmetool)

~~~
Sir_Cmpwn
Well, it's written in Go, so it's statically linked. Which helps with the
whole master branch thing.

It is weird that it attempts to listen on all of those ports, though.

~~~
cyphar
It being written in Go doesn't make "just pull the latest code from master
from my dependencies at build time" a good thing. They should use vendoring
and pin tagged releases.

------
mattferderer
Has anyone tried this on a site with multiple virtual hosts? That's where I
ran into my largest issues with applying the certificates.

~~~
avail
I had to apply them per-vhost when using Apache. I switched to caddy recently,
which does it automatically for every vhost.

~~~
jamies888888
What's caddy? I had the same problem and just ended up separating all my SSL
vhosts into their own files.

~~~
CiPHPerCoder
[https://caddyserver.com](https://caddyserver.com)

------
jradd
I just recently re-created my personal wiki:
[https://wiki.jradd.com](https://wiki.jradd.com)

using: [https://github.com/JrCs/docker-letsencrypt-nginx-proxy-
compa...](https://github.com/JrCs/docker-letsencrypt-nginx-proxy-companion)

This dockerfile/repo made this incredibly easy to scale with nginx/ssl/docker.

Simply add the desired domain name as environment variable when starting your
container, and letsencrypt will register your cert, and re-register it at an
interval.

I haven't yet tried the other methods posted in this thread, but not sure I
will want to, since this was so easy.

------
e12e
It occurred to me that this should probably be integrated with ansible for
bringing up servers, and apparently I'm not the first to think so, I found a
couple of project, and this one appears to fit the bill quite nicely:

[https://github.com/thefinn93/ansible-
letsencrypt](https://github.com/thefinn93/ansible-letsencrypt)

Must say I'm not a fan of web first, then fallback (I mean if stand-alone
works, then just use that - because that should work for certs used for eg
smtp, imaps etc)?

------
ck2
It's interesting OVH just notified all their webhosting customers (I assume
VPS & shared hosting) they encrypted all 1.5 million account control panels
via Let's Encrypt

------
donatj
Correct me if I'm wrong because I really hope I'm wrong. Doesn't no question
asked certificates completely undermine certificates and make man in the
middle attacks remarkably simple on 'secure' sites?

I played with Caddy a little and had an SSL for a domain I already have one
for without even asking for one.

Is this not a problem?

~~~
pki
You already proved that you have access to it. Why is that no question asked?

Normal DV certs are either "add a CNAME, upload a uniquely named html / txt
file, or click a link in an email" \-- you've already done one of those
(automatically in caddy)

------
tekism
What options do IIS/Windows users have?

~~~
colinramsay
[https://github.com/Lone-Coder/letsencrypt-win-
simple](https://github.com/Lone-Coder/letsencrypt-win-simple)

~~~
skrowl
I use this on my AWS EC2 boxes. Works great!

------
wensheng
Simp_le does the same thing. I use simp_le with Haproxy on one server and
nginx sni on another. Works very well.

[https://github.com/kuba/simp_le](https://github.com/kuba/simp_le)

~~~
finnn
No, simp_le does not do the exact same thing. simp_le will also generate certs
and get them signed, but certbot will install them in apache for you. certbot
is for people who don't know or care how to install a TLS cert and just want
the thing to go green

~~~
pde3
Certbot supports both use cases; "certonly" stops after getting the cert;
"run" installs it if there's a plugin available for your webserver.

------
PantaloonFlames
Has anyone used this on the FreeBSD servers offered by NearlyFreeSpeech.net?
Tips?

~~~
bearbin
I haven't, but there are other clients that work nearly as well. I use a
modified version of letsencrypt-nosudo [1], and setup.sh should do everything
you need.

[1]: [https://github.com/bearbin/nfsn-le](https://github.com/bearbin/nfsn-le)

------
onnimonni
I'm having problems using letsencrypt with domains with multiple dns A-records
(round robin). What would be the standard way to issue certificates for a
cluster?

------
ctlaltdefeat
The webserver Caddy also offers similar functionality

~~~
joshstrange
Eh, I wouldn't call it "similar functionality", don't get me wrong I use and
quite like Caddy but that's like saying a hammer offers similar functionality
to fully stocked workbench. This is a tool that only does certs, caddy does
much much more.

------
exratione
This example script assumes that the server has a running webserver, either
Apache or Nginx. Since it doesn't use a package install for Certbot, this
script should work on most Linux distributions. It installs Certbot, obtains
the certificate, and sets up the cron task for renewal.

\---

    
    
      #!/bin/bash
      #
      # This sets up Let's Encrypt SSL certificates and automatic renewal
      # using certbot: https://certbot.eff.org
      #
      # - Run this script as root.
      # - A webserver must be up and running.
      #
      # Certificate files are placed into subdirectories under
      # /etc/letsencrypt/live/*.
      #
      # Configuration must then be updated for the systems using the
      # certificates.
      #
      # The certbot-auto program logs to /var/log/letsencrypt.
      #
    
      set -o nounset
      set -o errexit
    
      # May or may not have HOME set, and this drops stuff into ~/.local.
      export HOME="/root"
      export
      PATH="${PATH}:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
    
      # No package install yet.
      wget https://dl.eff.org/certbot-auto
      chmod a+x certbot-auto
      mv certbot-auto /usr/local/bin
    
      # Install the dependencies.
      certbot-auto --noninteractive --os-packages-only
    
      # Set up config file.
      mkdir -p /etc/letsencrypt
      cat > /etc/letsencrypt/cli.ini <<EOF
      # Uncomment to use the staging/testing server - avoids rate limiting.
      # server = https://acme-staging.api.letsencrypt.org/directory
    
      # Use a 4096 bit RSA key instead of 2048.
      rsa-key-size = 4096
    
      # Set email and domains.
      email = admin@example.com
      domains = example.com, www.example.com
    
      # Text interface.
      text = True
      # No prompts.
      non-interactive = True
      # Suppress the Terms of Service agreement interaction.
      agree-tos = True
    
      # Use the webroot authenticator.
      authenticator = webroot
      webroot-path = /var/www/html
      EOF
    
      # Obtain cert.
      certbot-auto certonly
    
      # Set up daily cron job.
      CRON_SCRIPT="/etc/cron.daily/certbot-renew"
    
      cat > "${CRON_SCRIPT}" <<EOF
      #!/bin/bash
      #
      # Renew the Let's Encrypt certificate if it is time. It won't do anything if
      # not.
      #
      # This reads the standard /etc/letsencrypt/cli.ini.
      #
    
      # May or may not have HOME set, and this drops stuff into ~/.local.
      export HOME="/root"
      # PATH is never what you want it it to be in cron.
      export
      PATH="\${PATH}:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
    
      certbot-auto --no-self-upgrade certonly
    
      # If the cert updated, we need to update the services using it. E.g.:
      if service --status-all | grep -Fq 'apache2'; then
         service apache2 reload
      fi
      if service --status-all | grep -Fq 'httpd'; then
         service httpd reload
      fi
      if service --status-all | grep -Fq 'nginx'; then
         service nginx reload
      fi
      EOF
      chmod a+x "${CRON_SCRIPT}"
    

\---

~~~
nailer
Unless your whole chain is 4096 bit - which is unlikely - a 4096 bit RSA key
just adds a little latency.

~~~
davidcollantes
You will not get an A+[0] without 4096.

[0] [https://www.ssllabs.com/ssltest/](https://www.ssllabs.com/ssltest/)

~~~
finnn
That is not true[0]. I have no idea why you think that's the case, I've never
seen that anywhere.

[0]
[https://www.ssllabs.com/ssltest/analyze.html?d=finn.io](https://www.ssllabs.com/ssltest/analyze.html?d=finn.io)

~~~
nailer
In defence of davidcollantes I think it used to be the case a year ago.

~~~
finnn
How long ago? I've had an A+ with a 2048 bit cert for years (I think...
there's a small chance I used to have a 4096 bit cert before LE came out)

~~~
nailer
OK it's was never required for A+, but it was required for one of the
individual scores: straight from the horse's mouth:
[https://news.ycombinator.com/item?id=11708830](https://news.ycombinator.com/item?id=11708830)

------
TheArcane
Can this run on Raspbian 7 Apache?

~~~
pde3
Yes certbot-auto should work on Raspbian 7 _but_ note you'll need a large swap
file enabled in order for it to succeed at building the recent version of
python-cryptography that it depends on:

[https://github.com/certbot/certbot/issues/1081](https://github.com/certbot/certbot/issues/1081)

This is resolved by .deb packages; they're available in jessie-backports, but
I'm not sure if/when those will ever make it to Raspberry Pi land.

------
manduino
[Edit]: didn't read enough about it, sorry

~~~
christop
> Certbot is an easy-to-use automatic client that fetches and deploys SSL/TLS
> certificates for your webserver.

