Letsencrypt - Manual mode

Let's Encrypt logo

In this quick howto, we'll see how to use Letencrypt in manual mode on Debian Jessie (with a mix of Stretch/testing). The idea is to generate the needed files and then copy them over to the web server (Apache in this case).

In this scenario there are 2 different machines, they can be the same if you'd like, there's no problem with that other. However, if you are using a single machine for both tasks then you might want to use a different method which will be easier to maintain. I chose to use different machines for now, one with the letsencrypt software and another for the web server because the letsencrypt software needs a few packages pulled from Debian testing.

Install letsencrypt

To install letsencrypt using APT we'll need to add extra sources and set preferences. If you chose to install letsencrypt using git you can skip this step of course.

Edit /etc/apt/sources.list, copy the main lines and change jessie to stretch, the new lines might look like this:

deb http://ftp.debian.org/debian/ stretch main deb-src http://ftp.debian.org/debian/ stretch main

Edit the file (create if needed) /etc/apt/preferences and add:

# Stable Package: * Pin: release a=stable Pin-Priority: 900 # Testing Package: * Pin: release a=testing Pin-Priority: 450

Next, update apt and install letsencrypt from testing.

apt-get update apt-get install letsencrypt -t testing

Optional Configuration

You can add an optional configuration file to get defaults from, for this create /etc/letsencrypt/cli.ini and for example, you can start of like this:

# This is an example of the kind of things you can do in a configuration file. # All flags used by the client can be configured here. Run Let's Encrypt with # "--help" to learn more about the available options. # Use a 4096 bit RSA key instead of 2048 rsa-key-size = 4096

Basic Usage

The first time you will probably be asked for an email address, that's up to you.

To generate your certificate files all you need to do is the following:

letsencrypt certonly -d manurevah.com --manual

You will be asked to create a secret file on your website, something like manurevah.com/.well-known/acme-challenge/z890F4ke0fCVr5301234-23434-2423-gvYd_FofwLk. So head to your webserver and create the file and in the file copy the next line indicated by letsencrypt (should be more gibberish).

This will validate that you have control over the website. You can then press enter to continue and the files will be generated.

Install the certificate and key on Apache

If you're using different machines for letsencrypt and the webserver, you'll need to copy some files over. There should be a directory called /etc/letsencrypt/live, in there will be a directory for each domain, in this example I'll copy over /etc/letsencrypt/live/manurevah.com/.

The directory /etc/letsencrypt/live/ actually contains directories, one for each certificate set (domain), with symlinks to the /etc/letsencrypt/archive/ directory. This way the "live" folder always shows the latest files.

For each virtual host you can use the following SSLCertificate directives. (Remove/comment references to obsolete files):

SSLCertificateFile /etc/apache2/certificates/manurevah.com/cert.pem SSLCertificateKeyFile /etc/apache2/certificates/manurevah.com/privkey.pem SSLCertificateChainFile /etc/apache2/certificates/manurevah.com/chain.pem

If you're using the same machine for both tasks, you could point your Apache configuration to the /etc/letsencrypt/live/ directory, it will make updating certs painless; Apache will always be pointing to the latest files. (Again, when using the same machine it could be easier to use another method).

Check Apache and restart (if there are no errors):

apachectl configtest apachectl graceful

Renewal

The certificates are valid for 90 days, you will need to renew them frequently. To do so you just need to generate a new certificate and copy over the files.

That's about it for now.. .

Leave a comment
You may use the following HTML tags: <p> <a> <strong> <b> <em> <i> <cite> <blockquote> <code> <pre>

Your comments WILL NOT be submitted to any third party (not even for anti spam verification).