Besides being free, the main advantage of using Let’s Encrypt SSL would be automation (auto renewal through shell script).
Install Certbot on Ubuntu
sudo add-apt-repository ppa:certbot/certbot sudo apt-get update sudo apt-get install certbot
Obtain SSL Certificate
Certbot has Apache and nginx server plugins, which automates both obtaining and installing certs. This article shall focus on getting and renewing certs without particular integration.
To obtain a cert using DNS verification. The following command will ask for a mandatory email address. We use the manual option on a machine other than your webserver (e.g. not shell access on webserver).
sudo certbot certonly --manual --preferred-challenges dns
Enter the domain name (I guess multiple domain names are supported)
Please enter in your domain name(s) (comma and/or space separated)
Do follow the instruction to complete DNS (
TXT entry at _acme-challenge.www.mydomain.com) verification.
I created DNS TXT entry but certbot fail to validate it (I guess DNS not propagated yet), where it quit immediately without an option to retry. When I rerun
sudo certbot certonly --manual --preferred-challenges dns again, the secret code has changed again.
Before proceeding with cerbot DNS verification, run a check to verify if the DNS TXT entry has propagated within reach of your machine.
dig -t txt _acme-challenge.www.mydomain.com
Upon success, take note of the location of the SSL (
/etc/letsencrypt/live/www.mydomain.com/fullchain.pem) and the expiry date (90 days)
- Congratulations! Your certificate and chain have been saved at /etc/letsencrypt/live/www.mydomain.com/fullchain.pem. Your cert will expire on 2017-10-31. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew"
You should have the following files in
sudo ls /etc/letsencrypt/live/www.mydomain.com # output cert.pem chain.pem fullchain.pem privkey.pem README
Renew SSL Certificate
Run the following command to test if automatic renewal of cert is running properly
sudo certbot renew --dry-run
Sadly I bump into renewal error:
An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.. With manual plugins (instead of Apache or nginx plugins), certbot couldn’t automatically renew because it couldn’t automatically verify through DNS, where a script need to be provided through –manual-auth-hook.
Cert not due for renewal, but simulating renewal for dry run Could not choose appropriate plugin: The manual plugin is not working; there may be problems with your existing configuration. The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.',) Attempting to renew cert from /etc/letsencrypt/renewal/www.mydomain.com.conf produced an unexpected error: The manual plugin is not working; there may be problems with your existing configuration. The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.',). Skipping.