Skip to content

Instantly share code, notes, and snippets.

@Jonty

Jonty/letsencrypt_beta.md

Last active November 10, 2015 11:32
Show Gist options
  • Save Jonty/986d9f33784f0d9c7066 to your computer and use it in GitHub Desktop.
Save Jonty/986d9f33784f0d9c7066 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
letsencrypt_beta.md

Thank you for your interest in our beta program! We're excited to let you know that your domains (below) have been whitelisted, and you can now utilize an ACME client to obtain a certificate for them.

Quick Start

To use Let's Encrypt's official client to obtain your real certificates, you will need to provide the production API URL on the command line:

  https://acme-v01.api.letsencrypt.org/directory

When running the Python client (installation directions [1]), be sure to specify the --server argument as shown below:

  git clone https://github.com/letsencrypt/letsencrypt
  cd letsencrypt
  ./letsencrypt-auto --server \
      https://acme-v01.api.letsencrypt.org/directory --help

How to use the client

The Let's Encrypt client supports a number of different "plugins" that can be used to obtain and/or install certificates. A few examples of the options are included below.

If you're running Apache on a recent Debian-based OS, you can try the Apache plugin, which automates both obtaining and installing certs:

  ./letsencrypt-auto --apache --server https://acme-v01.api.letsencrypt.org/directory --agree-dev-preview

To obtain a cert using a "standalone" webserver (you may need to temporarily stop your exising webserver) for example.com and www.example.com:

  ./letsencrypt-auto certonly -a standalone \
  -d example.com -d www.example.com \
  --server https://acme-v01.api.letsencrypt.org/directory --agree-dev-preview

To obtain a cert using the "webroot" plugin, which can work with the webroot of any webserver software:

  ./letsencrypt-auto certonly -a webroot --webroot-path /var/www/example \
  -d example.com -d www.example.com \
  -server https://acme-v01.api.letsencrypt.org/directory --agree-dev-preview

Note: Currently the webroot plugin can only obtain certs for several domains simultaneously if they share a webroot.

To receive instructions for the (fairly complex) process of obtaining a cert from Let's Encrypt by manually providing proof you control a domain:

  ./letsencrypt-auto certonly -a manual -d example.com \
  --server https://acme-v01.api.letsencrypt.org/directory --agree-dev-preview

If you are using a different ACME client, be sure to configure it to use the production URL in order to get valid certificates. Many clients will default to the staging URL.

Help and Known Issues

You can get help with the client and Let's Encrypt at:

https://community.letsencrypt.org/

Known issues with the Python client can be tracked here:

https://github.com/letsencrypt/letsencrypt/issues

Please search thoroughly for existing issues before filing a new report!

Renewals and Lifetimes

Certificates from Let's Encrypt are valid for 90 days. We recommend renewing them every 60 days to provide a nice margin of error. As a beta participant, you should be prepared to manually renew your certificates at that time. As we get closer to General Availability, we hope to have automatic renewal tested and working on more platforms, but for now, please play it safe and keep track.

Rate Limiting

During this beta test we have very tight rate-limiting in place. We plan to loosen these limits as the beta proceeds.

There are two rate limits in play: Registrations/IP address, and Certificates/Domain.

Registrations/IP address limits the number of registrations you can make in a given day; currently 10. This means you should avoid deleting the /etc/letsencrypt/accounts folder, or you may not be able to re-register.

Certificates/Domain you could run into through repeated re-issuance. This limit measures certificates issued for a given combination of Top Level Domain + Domain. This means if you issue certificates for the following domains, at the end you would have what we consider 4 certificates for the domain example.com.

www.example.com example.com www.example.com webmail.example.com ldap.example.com example.com www.example.com

The limit on Certificates/Domain has a window of 60 days, to give 30 days for renewals. We know it's restrictive at present; thank you for your patience in helping us ensure Let's Encrypt is ready for the whole world. Certificate Transparency

Part of our transparency mission includes publicly disclosing the certificates we issue via Certificate Transparency. Your email address is not publicly disclosed.

Helpful Information

Let's Encrypt maintainence events are posted on https://letsencrypt.status.io/ and Twitter (@letsencrypt_ops). If you need help, both the Let's Encrypt community at https://community.letsencrypt.org/ and #letsencrypt on irc.freenode.org are excellent sources of assistance.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment