Install Let's Encrypt to Create SSL

Certificates
Updated Friday, May 11, 2018 by Linode Contributed by Sean Webber

Use promo code DOCS10 for $10 credit on a new account.

Contribute on GitHub

Report an Issue | View File | Edit File

Let’s Encrypt is an SSL certificate authority managed by the Internet Security Research
Group (ISRG). It utilizes the Automated Certificate Management Environment (ACME)
to automatically deploy free SSL certificates that are trusted by nearly all major
browsers.

Note
For most situations, the recommended method for installing Let’s Encrypt certificates is
the official Certbot tool. Certbot automates the process of obtaining and installing a
certificate, and can also automatically update your web server configuration. The
instructions in this guide install Let’s Encrypt and add certificates manually, which is
not necessary for most users.

Before you BeginPermalink

1. Familiarize yourself with our Getting Started guide and complete the steps for
setting your Linode’s hostname and timezone.
2. Complete the steps in our Securing Your Server guide to create a standard user
account, harden SSH access, and remove unnecessary network services.
3. Update your server’s software packages:

CentOS

sudo yum update && sudo yum upgrade

Debian / Ubuntu

sudo apt update && sudo apt upgrade

Note

This guide is written for a non-root user. Commands that require

elevated privileges are prefixed with sudo. If you’re not familiar with the
sudo command, you can check our Users and Groups guide.

Download and Install Let’s EncryptPermalink

1. Install the git package:

CentOS

sudo yum install git

Debian / Ubuntu

sudo apt-get install git

2. Download a clone of Let’s Encrypt from the official GitHub repository. /opt is
a common installation directory for third-party packages, so let’s install the
clone to /opt/letsencrypt:
3. sudo git clone https://github.com/letsencrypt/letsencrypt
/opt/letsencrypt
4. Navigate to the new /opt/letsencrypt directory:
 5. cd /opt/letsencrypt

Create an SSL CertificatePermalink

Let’s Encrypt automatically performs Domain Validation (DV) using a series of
challenges. The Certificate Authority (CA) uses challenges to verify the authenticity of
your computer’s domain. Once your Linode has been validated, the CA will issue SSL
certificates to you.

1. Run Let’s Encrypt with the --standalone parameter. For each additional
domain name requiring a certificate, add -d example.com to the end of the
command.
2. sudo -H ./letsencrypt-auto certonly --standalone -d example.com
-d www.example.com

Note

Let’s Encrypt does not deploy wildcard certificates. Each subdomain

requires its own certificate.

3. When prompted, specify an administrative email address. This will allow you to
regain control of a lost certificate and receive urgent security notices if
necessary. Press ENTER or RETURN to save.
4. Agree to the Terms of Service and specify if you would like to share your email
address with EFF:
5.
6. ----------------------------------------------------------------
---------------
7. Please read the Terms of Service at
8. https://letsencrypt.org/documents/LE-SA-v1.2-November-15-
2017.pdf. You must
9. agree in order to register with the ACME server at
10. https://acme-v01.api.letsencrypt.org/directory
11. ---------------------------------------------------------------
----------------
12. (A)gree/(C)ancel: a
13.
14. ---------------------------------------------------------------
----------------
15. Would you be willing to share your email address with the
Electronic Frontier
16. Foundation, a founding partner of the Let's Encrypt project and
the non-profit
17. organization that develops Certbot? We'd like to send you email
about EFF and
18. our work to encrypt the web, protect its users and defend
digital rights.
19. ---------------------------------------------------------------
----------------
20. (Y)es/(N)o: n
21.
22. If all goes well, a message similar to the one below will appear. Its appearance
means Let’s Encrypt has approved and issued your certificates.
23.
24. IMPORTANT NOTES:
 25. - Congratulations! Your certificate and chain have been saved
at:
26. /etc/letsencrypt/live/example.com/fullchain.pem
27. Your key file has been saved at:
28. /etc/letsencrypt/live/example.com/privkey.pem
29. Your cert will expire on 2018-05-27. To obtain a new or
tweaked
30. version of this certificate in the future, simply run
31. letsencrypt-auto again. To non-interactively renew *all* of
your
32. certificates, run "letsencrypt-auto renew"
33. - If you like Certbot, please consider supporting our work by:
34.
35. Donating to ISRG / Let's Encrypt:
https://letsencrypt.org/donate
36. Donating to EFF: https://eff.org/donate-
le
37.

Check Certificate DomainsPermalink

1. The output of the Let’s Encrypt script shows where your certificate is stored; in
this case, /etc/letsencrypt/live:
2. sudo ls /etc/letsencrypt/live
3.
4. example.com
5.
6. All of the domains you specified above will be covered under this single
certificate. This can be verified as follows:
7. ./certbot-auto certificates
8.
9. Found the following certs:
10. Certificate Name: example.com
11. Domains: example.com www.example.com
12. Expiry Date: 2018-05-27 20:49:02+00:00 (VALID: 89 days)
13. Certificate Path:
/etc/letsencrypt/live/example.com/fullchain.pem
14. Private Key Path:
/etc/letsencrypt/live/example.com/privkey.pem
15.

MaintenancePermalink
Renew SSL CertificatesPermalink

1. Return to the /opt/letsencrypt directory:

2. cd /opt/letsencrypt
3. Execute the command you used in Step 1 of the Create an SSL Certificate
section, adding the --renew-by-default parameter:
4. sudo -H ./letsencrypt-auto certonly --standalone --renew-by-
default -d example.com -d www.example.com
5. After a few moments, a confirmation similar to the one below should appear:
6.
7. IMPORTANT NOTES:
8. - Congratulations! Your certificate and chain have been saved
at:
9. /etc/letsencrypt/live/example.com/fullchain.pem
 10. Your key file has been saved at:
11. /etc/letsencrypt/live/example.com/privkey.pem
12. Your cert will expire on 2018-05-27. To obtain a new or
tweaked
13. version of this certificate in the future, simply run
14. letsencrypt-auto again. To non-interactively renew *all* of
your
15. certificates, run "letsencrypt-auto renew"
16. - If you like Certbot, please consider supporting our work by:
17.
18. Donating to ISRG / Let's Encrypt:
https://letsencrypt.org/donate
19. Donating to EFF: https://eff.org/donate-
le
20.

Let’s Encrypt has refreshed the lifespan of your certificates; in this example,
March 31st, 2016 is the new expiration date.

Note
Let’s Encrypt certificates have a 90-day lifespan. According to Let’s Encrypt, this
encourages automation and minimizes damage from key compromises. You can renew
your certificates at any time during their lifespan.

Automatically Renew SSL Certificates (Optional)Permalink

You can also automate certificate renewal. This will prevent your certificates from
expiring, and can be accomplished with cron.

1. The output of the previous command shows how to non-interactively renew all
of your certificates:
2. ./letsencrypt-auto renew
3. Set this task to run automatically once per month using a cron job:
4. sudo crontab -e

Add the following line to the end of the crontab file:

crontab
1
0 0 1 * * /opt/letsencrypt/letsencrypt-auto renew

Update Let’s EncryptPermalink

1. Return to the /opt/letsencrypt directory:

2. cd /opt/letsencrypt
3. Download any changes made to Let’s Encrypt since you last cloned or pulled the
repository, effectively updating it:
4. sudo git pull

Automatically Update Let’s Encrypt (Optional)Permalink

You can also use cron to keep the letsencrypt-auto client up to date.
sudo crontab -e
crontab
1
0 0 1 * * cd /opt/letsencrypt && git pull

More Information
You may wish to consult the following resources for additional information on this
topic. While these are provided in the hope that they will be useful, please note that we
cannot vouch for the accuracy or timeliness of externally hosted materials.