Install Let’s Encrypt to Create SSL Certificates
Updated by Linode Contributed by Sean Webber
This is a Linode Community guide. Write for us and earn $250 per published guide.
Let’s Encrypt is an SSL certificate authority managed by the Internet Security Research Group (ISRG). It utilizes the Automated Certificate Management Environment (ACME) to automatically deploy free SSL certificates that are trusted by nearly all major browsers.
This tutorial will cover the following:
- Installing the Let’s Encrypt ACME client.
- Obtaining Let’s Encrypt certificates.
- Required attention and maintenance.
- Technical details about Let’s Encrypt and certificates issued by it.
Before you Begin
Familiarize yourself with our Getting Started guide and complete the steps for setting your Linode’s hostname and timezone.
Complete the steps in our Securing Your Server guide to create a standard user account, harden SSH access, and remove unnecessary network services.
Update your server’s software packages:
sudo yum update && sudo yum upgrade
Debian / Ubuntu
sudo apt-get update && sudo apt-get upgrade
This guide is written for a non-root user. Commands that require elevated privileges are prefixed with
sudo. If you’re not familiar with the
sudocommand, you can check our Users and Groups guide.
Download and Install Let’s Encrypt
sudo yum install git
Debian / Ubuntu
sudo apt-get install git
Download a clone of Let’s Encrypt from the official GitHub repository.
/optis a common installation directory for third-party packages, so let’s install the clone to
sudo git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt
Navigate to the new
Create an SSL Certificate
Let’s Encrypt automatically performs Domain Validation (DV) using a series of challenges. The Certificate Authority (CA) uses challenges to verify the authenticity of your computer’s domain. Once your Linode has been validated, the CA will issue SSL certificates to you.
Run Let’s Encrypt with the
--standaloneparameter. For each additional domain name requiring a certificate, add
-d example.comto the end of the command.
sudo -H ./letsencrypt-auto certonly --standalone -d example.com -d www.example.com
Let’s Encrypt does not deploy wildcard certificates. Each subdomain requires its own certificate.
Specify an administrative email address. This will allow you to regain control of a lost certificate and receive urgent security notices if necessary. Press TAB followed by ENTER or RETURN to save.
Agree to the Terms of Service.
If all goes well, a message similar to the one below will appear. Its appearance means Let’s Encrypt has approved and issued your certificates.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
IMPORTANT NOTES: - If you lose your account credentials, you can recover them through e-mails sent to firstname.lastname@example.org. - Congratulations! Your certificate and chain have been saved at /etc/letsencrypt/live/example.com/fullchain.pem. Your cert will expire on 2016-03-31. To obtain a new version of the certificate in the future, simply run Let's Encrypt again. - Your account credentials have been saved in your Let's Encrypt configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Let's Encrypt, so making regular backups of this folder is ideal. - If you like Let's Encrypt, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
Let’s Encrypt Certificate Directory Structure
sudo ls /etc/letsencrypt/live
Each domain name you specified in Step 1 of the Create an SSL Certificate section has its own directory. List any of these domain name directories:
sudo ls /etc/letsencrypt/live/example.com
1 2 3 4
cert.pem chain.pem fullchain.pem privkey.pem
Each key (
.pem) file serves a different purpose:
- cert.pem: server certificate only.
- chain.pem: root and intermediate certificates only.
- fullchain.pem: combination of server, root and intermediate certificates (replaces
- privkey.pem: private key (do not share this with anyone!).
Let’s Encrypt issues certificates from intermediate certificate authorities. Intermediate certificates have been cross-signed by Identrust, which ensures compatibility between the end certificate and all major browsers. Refer to Let’s Encrypt’s certificates page for more information.
For good measure, display the file status of
sudo stat /etc/letsencrypt/live/example.com/fullchain.pem
File: ‘live/example.com/cert.pem’ -> ‘../../archive/example.com/cert1.pem’
Notice how this file points to a different file, as do all four of the files listed in Step 3. They are symbolic links to the actual certificate files located in the
If you forget to renew a domain name’s certificate, Let’s Encrypt will remove its directory (and symbolic links) from
/etc/letsencrypt/live. However, the directory (and symbolic links) will be retained in the
/etc/letsencrypt/keysdirectories for your future reference.
Renew SSL Certificates
Return to the
Execute the command you used in Step 1 of the Create an SSL Certificate section, adding the
sudo -H ./letsencrypt-auto certonly --standalone --renew-by-default -d example.com -d www.example.com
After a few moments, a confirmation similar to the one below should appear:
1 2 3 4 5 6 7 8 9
IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at /etc/letsencrypt/live/example.com/fullchain.pem. Your cert will expire on 2016-03-31. To obtain a new version of the certificate in the future, simply run Let's Encrypt again. - If you like Let's Encrypt, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
Let’s Encrypt has refreshed the lifespan of your certificates; in this example, March 31st, 2016 is the new expiration date.
Let’s Encrypt certificates have a 90-day lifespan before they expire. According to Let’s Encrypt, this encourages automation and minimizes damage from key compromises. You can renew your certificates anytime during their lifespan.
Automatically Renew SSL Certificates (Optional)
We also recommend automating your certificate renewal since it can be easy to lose track of expiration dates, especially if you have them for several different domains. This will prevent your certificates from expiring, and can be accomplished with
Before we execute the following command, let’s break it down and make some modifications:
echo '@monthly root /opt/letsencrypt/letsencrypt-auto certonly --quiet --standalone --renew-by-default -d example.com -d www.example.com >> /var/log/letsencrypt/letsencrypt-auto-update.log' | sudo tee --append /etc/crontab
- @monthly: for simplicity, this command will execute at midnight on the first day of every month
- root: run the command as the root user
- /opt/letsencrypt/letsencrypt-auto certonly –quiet –standalone –renew-by-default -d example.com -d www.example.com:
letsencrypt-autorenewal command. Again, add
-d example.comfor each domain name you need to renew
- » /var/log/letsencrypt/letsencrypt-auto-update.log: record the standard output and standard error to a log file named
- tee –append /etc/crontab: save the new cron job to the
The automatic renewal process requires access to port
443, which would most likely be bound to your web server. You can configure your cron tasks to temporarily stop the web server, or use one of several methods documented here.
Execute your modified command to add the cron job to your Linode.
Once Let’s Encrypt supports auto-renewal natively, open the
/etc/crontabfile and manually remove this entry to avoid future renewal conflicts.
Update Let’s Encrypt
Return to the
Download any changes made to Let’s Encrypt since you last cloned or pulled the repository, effectively updating it:
sudo git pull
Automatically Update Let’s Encrypt (Optional)
You can also use
cron to keep the
letsencrypt-auto client up to date. The
@weekly parameter will issue a
git pull command in the
/opt/letsencrypt directory every Sunday at midnight.
echo '@weekly root cd /opt/letsencrypt && git pull >> /var/log/letsencrypt/letsencrypt-auto-update.log' | sudo tee --append /etc/crontab
To change the update frequency, choose a different parameter, for example,
Now that you have installed Let’s Encrypt and obtained your free SSL certificates, you can configure any package that supports commercial or self-signed SSL certificates to use them.
- Email with Postfix, Dovecot, and MySQL
- How to Provide Encrypted Access to Resources Using SSL Certificates on Nginx
- SSL Certificates with Apache on Debian & Ubuntu
This guide is published under a CC BY-ND 4.0 license.