Let’s Encrypt is a free, automated, and open Certificate Authority. The best way to setup is through Certbot, which require shell/SSH access.
Besides being free, the main advantage of using Let’s Encrypt SSL would be automation (auto renewal through shell script).
Using certbot
Install Certbot on Ubuntu
sudo add-apt-repository ppa:certbot/certbotsudo apt-get updatesudo apt-get install certbotObtain SSL Certificate
Certbot has Apache and nginx server plugins, which automates both obtaining and installing certs. This article shall focus on getting and renewing certs without particular integration.
DNS Verification
To obtain a cert using DNS verification. The following command will ask for a mandatory email address. We use the manual option on a machine other than your webserver (e.g. not shell access on webserver).
sudo certbot certonly --manual --preferred-challenges dnsEnter the domain name (I guess multiple domain names are supported)
Please enter in your domain name(s) (comma and/or space separated) Do follow the instruction to complete DNS (TXT entry at _acme-challenge.www.mydomain.com) verification.
I created DNS TXT entry but certbot fail to validate it (I guess DNS not propagated yet), where it quit immediately without an option to retry. When I rerun sudo certbot certonly --manual --preferred-challenges dns again, the secret code has changed again.
Before proceeding with cerbot DNS verification, run a check to verify if the DNS TXT entry has propagated within reach of your machine.
dig -t txt _acme-challenge.www.mydomain.comSuccess
Upon success, take note of the location of the SSL (/etc/letsencrypt/live/www.mydomain.com/fullchain.pem) and the expiry date (90 days)
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/www.mydomain.com/fullchain.pem. Your cert
will expire on 2017-10-31. To obtain a new or tweaked version of
this certificate in the future, simply run certbot again. To
non-interactively renew *all* of your certificates, run "certbot
renew"You should have the following files in /etc/letsencrypt/live/www.mydomain.com/ directory.
sudo ls /etc/letsencrypt/live/www.mydomain.com# outputcert.pem chain.pem fullchain.pem privkey.pem READMERenew SSL Certificate
Run the following command to test if automatic renewal of cert is running properly
sudo certbot renew --dry-runSadly I bump into renewal error: An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.. With manual plugins (instead of Apache or nginx plugins), certbot couldn't automatically renew because it couldn't automatically verify through DNS, where a script need to be provided through --manual-auth-hook.
Cert not due for renewal, but simulating renewal for dry run
Could not choose appropriate plugin: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.',)
Attempting to renew cert from /etc/letsencrypt/renewal/www.mydomain.com.conf produced an unexpected error: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.',). Skipping.References:
Certbot User Guide
Deploy Let's Encrypt SSL to Google App Engine using scripts only