
Install, configure and automatically renew a free Let's Encrypt SSL certificate - eko
https://vincent.composieux.fr/article/install-configure-and-automatically-renew-let-s-encrypt-ssl-certificate
======
laurencei
Ideally you should always run a scan on your SSL to ensure it is configured
correctly.

This is a great scanner and is free:
[https://www.ssllabs.com/ssltest/analyze.html](https://www.ssllabs.com/ssltest/analyze.html)

------
tedmiston
I was going to ask about browser trust but their FAQ
([https://community.letsencrypt.org/t/frequently-asked-
questio...](https://community.letsencrypt.org/t/frequently-asked-questions-
faq/26)) addressed it. If others are curious:

> Are certificates from Let’s Encrypt trusted by my browser?

The short answer is “yes”.

The long answer is that our issuing intermediates are cross-signed by a widely
trusted IdenTrust root531. This allows our certificates to be trusted while we
work on propagating our own root. Most platforms that trust that root should
trust Let's Encrypt certs. One notable exception is Windows XP, which
currently doesn't accept our intermediate630.

~~~
frik
About WinXP:

Sadly at the moment not only IE, but also e.g. Chrome on WinXP:
[https://github.com/letsencrypt/letsencrypt/issues/1660](https://github.com/letsencrypt/letsencrypt/issues/1660)
and
[https://github.com/letsencrypt/letsencrypt/issues/1942](https://github.com/letsencrypt/letsencrypt/issues/1942)

~~~
TazeTSchnitzel
Chrome and IE both use Windows's certificate store.

But XP is silly anyway, it doesn't even have SNI.

~~~
cm2187
Chrome on XP has SNI

------
JamesChevalier
I've built a small Ansible role to generate a certificate and configure it for
automatic monthly renewal.

It isn't really set up to handle all possible scenarios, so I only made it
available as a gist as opposed to a full role available in the Ansible Galaxy.
For example, it expects an Apache virtual host to be configured already
instead of allowing Let's Encrypt handle it - I do this in another role
specifically set up to handle Apache.

[https://gist.github.com/JamesChevalier/a5d78be0febfe505a7e5](https://gist.github.com/JamesChevalier/a5d78be0febfe505a7e5)

------
sologoub
The configuration listed unfortunately doesn't work for the www version of the
domain - Let's Encrypt requires individual certificates for the naked domain
and each subdomain, including www.

Nginx configuration needs to handle the two (or more, depending on subdomains)
certificates.

Let's Encrypt is a great initiative and hope that they can support nginx auto-
renewal!

~~~
nmjohn
> Let's Encrypt requires individual certificates

That's not accurate - you can have up to n[0] domains on a single certificate

[0]: I don't remember the exact number, but it's more than 2 at least.

~~~
sologoub
Can you share how?

~~~
arthurbouquet
./letsencrypt-auto --apache -d thing.com -d www.thing.com -d otherthing.net

From their ReadMe ->
[https://github.com/letsencrypt/letsencrypt](https://github.com/letsencrypt/letsencrypt)

~~~
sologoub
Thanks!!!

Worked perfectly.

------
tomjen3
How do I get this to work on a shared webserver? I don't have root and need a
cert I can upload on their backend system, so more than 90 days would be a
requirement.

~~~
pja
Lets Encrypt only generates certs with a 90 day expiry, so if longer than that
is a requirement for you then you need to look elsewhere.

You won’t be able to use the automated letsencrypt scripts to generate a cert
either - you’ll have to use something like acme-tiny (it’s on github) and edit
it to upload the proof-of-site-ownership challenge files to the appropriate
place on your shared hosting (unless the letsencrypt script already lets you
do this? Worth a quick look.)

------
jordanbaucke
excellent stuff...install and ran their package on my box with apache2 and was
SSL'd in 2 minutes flat. will visit again.

------
frik
Thanks for the tutorial!

