The protocol used by the client is ACME
(stands for Automatic Certificate Management Environment);
# git clone https://github.com/letsencrypt/letsencrypt && cd letsencrypt
# ./letsencrypt-auto
[... installing packages...]
Creating virtual environment...
Updating letsencrypt and virtual environment dependencies.......
Running with virtualenv: /root/.local/share/letsencrypt/bin/letsencrypt
No installers seem to be present and working on your system; fix that or try running letsencrypt with the "certonly" command
# ./letsencrypt-auto --webroot-path /etc/letsencrypt/webrootauth --domain ohr.lol -a webroot certonly
From this post we stole
the configuration for nginx
(to place in /etc/nginx/snippets/letsencryptauth.conf
)
location /.well-known/acme-challenge {
alias /etc/letsencrypt/webrootauth/.well-known/acme-challenge;
location ~ /.well-known/acme-challenge/(.*) {
add_header Content-Type application/jose+json;
}
}
and then use it into the appropriate server
block of the default site (not tested yet)
``nginx
server {
include snippets/letsencryptauth.conf;
}
Finally we have to create the authentication directory
# mkdir /etc/letsencrypt/webrootauth
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/ohr.lol/fullchain.pem. Your cert will expire
on 2016-03-03. To obtain a new version of the certificate in the
future, simply run Let's Encrypt again.
- If like Let's Encrypt, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
The installer letsencrypt-auto
create a virtualenv in your $HOME/.local/share/letsencrypt
. letsencrypt-auto
use it automatically, if you want to use letsencrypt
directly you have to activate the virtualenv.
# letsencrypt --help
letsencrypt [SUBCOMMAND] [options] [-d domain] [-d domain] ...
The Let's Encrypt agent can obtain and install HTTPS/TLS/SSL certificates. By
default, it will attempt to use a webserver both for obtaining and installing
the cert. Major SUBCOMMANDS are:
(default) run Obtain & install a cert in your current webserver
certonly Obtain cert, but do not install it (aka "auth")
install Install a previously obtained cert in a server
revoke Revoke a previously obtained certificate
rollback Rollback server configuration changes made during install
config_changes Show changes made to server config during installation
Choice of server plugins for obtaining and installing cert:
--apache Use the Apache plugin for authentication & installation
--standalone Run a standalone webserver for authentication
(nginx support is experimental, buggy, and not installed by default)
OR use different servers to obtain (authenticate) the cert and then install it:
--authenticator standalone --installer apache
More detailed help:
-h, --help [topic] print this message, or detailed help on a topic;
the available topics are:
all, automation, paths, security, testing, or any of the subcommands or
plugins (certonly, install, nginx, apache, standalone, etc)
# letsencrypt -d ktln2.org -d www.ktln2.org --server https://acme-v01.api.letsencrypt.org/directory -a manual certonly
Make sure your web server displays the following content at
http://ktln2.org/.well-known/acme-challenge/FrGYdLamAysik1k84aoKNRgTrZxBkRHXLu6x3j6Y0es before continuing:
FrGYdLamAysik1k84aoKNRgTrZxBkRHXLu6x3j6Y0es.1VOzyvVEKwc29CjUYaMj1DS3WDyU3WN3UtQyJEF-vWA
Content-Type header MUST be set to text/plain.
If you don't have HTTP server configured, you can run the following
command on the target server (as root):
mkdir -p /tmp/letsencrypt/public_html/.well-known/acme-challenge
cd /tmp/letsencrypt/public_html
printf "%s" FrGYdLamAysik1k84aoKNRgTrZxBkRHXLu6x3j6Y0es.1VOzyvVEKwc29CjUYaMj1DS3WDyU3WN3UtQyJEF-vWA > .well-known/acme-challenge/FrGYdLamAysik1k84aoKNRgTrZxBkRHXLu6x3j6Y0es
# run only once per server:
$(command -v python2 || command -v python2.7 || command -v python2.6) -c \
"import BaseHTTPServer, SimpleHTTPServer; \
SimpleHTTPServer.SimpleHTTPRequestHandler.extensions_map = {'': 'text/plain'}; \
s = BaseHTTPServer.HTTPServer(('', 80), SimpleHTTPServer.SimpleHTTPRequestHandler); \
s.serve_forever()"
Press ENTER to continue
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/ktln2.org/fullchain.pem. Your cert will
expire on 2016-02-02. To obtain a new version of the certificate in
the future, simply run Let's Encrypt again.