Free SSL certificates through Let's Encrypt

  • Let's encrypt has to validate that you own the domain. That is possible by a variety of plugins.


    • Apache and Nginx are no option, because they also want to configure the service.
    • Standalone was not working, because the script complained that apache is already using port 443.
    • Manual was also not working, but I don't remember the error message.
    • Webroot was working and the script will create the directories .well-known/acme-challenge

    After the creation of the certificate no files were inside of the directories. I don't know if the script will create some during execution and will delete them afterwards.

  • Ah thank you, thought it's via mail :D After letsencrypt is released, I'll have a look to create an account :)

  • I think there will also come a plugin, where you will get a mail to the address provided via nameserver SOA entry.


    But the webroot option is also nice, because you don't need to interact via mail.

  • webroot is nice, you just have a small problem if you have an htaccess. Also the folder needs to be removed after cert creation :D

  • Got my beta invite yesterday too. The certificates were generated by entering the code that was quoted in the email. Luckily I have read in the letsencrypt forum that there was an error and the last line should read
    https://acme-v01.api.letsencrypt.org/directory certonly
    instead of
    https://acme-v01.api.letsencrypt.org/directory auth


    Using the code line with "certonly" everything went smoothly.


    During installation I choosed "authenticate with Apache Web Server". It gave me only two choices "Apache Web Server (Alpha)" or "Standalone". Choosing Apache Web Server the letsencrypt folder and the certificates were generated.
    The only challenge was which certificate goes were in i-mscp backend. I got four certificates:
    cert.pem
    chain.pem
    fullchain.pem
    privkey.pem


    Private key was easy. Then I put cert.pem key in the input field for certificate and decided to take fullchain.pem for intermediate certificate. Now my site runs fine with https :-)

    i-MSCP 1.5.3 | Ubuntu 18.04

    Edited 2 times, last by bluecafe ().

  • acme-v01.api.letsencrypt.org/directory certonly
    instead of
    acme-v01.api.letsencrypt.org/directory auth

    That is not an error. When I created my first certificate it was auth and now they changed it from auth to certonly. The software is still beta, so a lot of changes could occour.


    Yesterday I got my second invite for three additional domains and all went fine.


    I created the file /etc/letsencrypt/cli.ini to store some default values, so you don't have to use them on the command line:



    And then I used the following command to created my certificates:


    letsencrypt-auto certonly --agree-dev-preview --agree-tos --renew-by-default -a webroot --webroot-path /var/www/virtual/domain.com/htdocs/ -d domain.com -d www.domain.com

  • webroot is nice, you just have a small problem if you have an htaccess.

    I found also a solution for that, with the webroot domain verification. :)

  • This howto is for the webroot domain verification, if the domain htdocs is secured with .htaccess.



    Create the directory: mkdir -p /var/www/letsencrypt/domain.com


    Now paste the following into the file /etc/apache2/imscp/domain.com.conf


    Code
    1. <Directory /var/www/letsencrypt>
    2. Order allow,deny
    3. Allow from all
    4. </Directory>
    5. Alias "/.well-known/acme-challenge" "/var/www/letsencrypt/domain.com/.well-known/acme-challenge"


    and then reload apache: service apache2 reload


    Now you could use the webroot with --webroot-path /var/www/letsencrypt/domain.com/


    The full command:
    letsencrypt-auto certonly --agree-dev-preview --agree-tos --renew-by-default -a webroot --webroot-path /var/www/letsencrypt/domain.com/ -d domain.com -d www.domain.com