Let's Encrypt - time to get serious about TLS

Let's Encrypt is a new Certificate Authority that's serious about democratising SSL on the internet.

Let's Encrypt offers free certificates, as opposed to a $10-1000 price tag, depending on the amount of bonus nonsense you're purchasing with it.

Currently, as Let's Encrypt is still in open beta, the entire process of obtaining and installing a certificate is fully automated only on Apache web servers. However, Let's Encrypt can be used to easily obtain a free SSL certificate, which can be installed manually, regardless of your choice of web server software.

How to get the Let's Encrypt client?

Install Git & BC

Ensure to update apt-get before proceeding.

sudo apt-get -y install git bc
Once installed, we can use git to download letsencrypt.

Clone Let's Encrypt from GitHub

Clone the Let's Encrypt repository to /opt/letsencrypt.

sudo git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt

Now you're ready to generate certificates.

Generating a certificate using Let's Encrypt

Simply run the following command, and follow the prompts:

./letsencrypt-auto certonly -a webroot --webroot-path=/usr/share/nginx/html -d [example.com] -d [www.example.com]

Replace your [example.com] and [www.example.com] with your actual domain names.

Follow the prompts, entering your email address and agreeing to the terms and conditions.

Once complete, your certificate will exist at: /etc/letsencrypt/live/[example.com]

The included certificate files are:

cert.pem: Your domain's certificate
chain.pem: Let's Encrypt chain certificate
fullchain.pem: The above two files combined
privkey.pem: Your certificate's private key

The private key ideally should never leave your server.

That's it! You're done. Let's Encrypt makes it that easy to generate a new certificate. Pipeline the process.