Home Let's Encrypt
Posted on 06 April 2017. Last updated on 05 December 2020.
To enable HTTPS on your website, you need to get a certificate (a type of file) from a Certificate Authority (CA). Let's Encrypt is a CA. In order to get a certificate for your website's domain from Let's Encrypt, you have to demonstrate control over the domain. With Let's Encrypt, you do this using software that uses the ACME protocol, which typically runs on your web host.
It is easy to do, just download the script and run it.
And best off all it is completely free.
If you have shell access, you can use CertBot.
It has support for most systems and webservers.
Here are the basics,
This is for apache on CentOS,
but there are similar command for other systems.
Install the bot
Certbot is packaged in EPEL (Extra Packages for Enterprise Linux). To use Certbot, you must first enable the EPEL repository.
sudo yum install python-certbot-apache
Get Started
Certbot has a fairly solid beta-quality Apache plugin, which is supported on many platforms, and automates both obtaining and installing certs:
$ certbot --apache
If you're feeling more conservative and would like to make the changes to your Apache configuration by hand, you can use the certonly subcommand:
$ certbot --apache certonly
Automating renewal
The certificate is valid for 3 months, but you can auto-renew it.
Certbot can be configured to renew your certificates automatically before they expire. Since Let's Encrypt certificates last for 90 days, it's highly advisable to take advantage of this feature. You can test automatic renewal for your certificates by running this command:
$ certbot renew --dry-run
If that appears to be working correctly, you can arrange for automatic renewal by adding a cron or systemd job which runs the following:
$ certbot renew
If you're setting up a cron or systemd job, we recommend running it twice per day (it won't do anything until your certificates are due for renewal or revoked, but running it regularly would give your site a chance of staying online in case a Let's Encrypt-initiated revocation happened for some reason). Please select a random minute within the hour for your renewal tasks.