Step 1: Installing the Let’s Encrypt Installation Scripts
Right now, it’s not available via the package managers – I have a suspiscion that will change soon. But we can definitely clone it via Git.
Update your packages…
$ sudo apt-get update
…and install both git and bc.
$ sudo apt-get -y install git bc
BC, by the way, is an “arbitrary precision language calculator”. Neat!
Clone the letsencrypt package into /opt:
$ sudo git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt
Now that it’s installed and we have our dependencies, we can start the installation package.
Step 2: Using letsencrypt and Obtaining a Certificate
Stop your Nginx server…
$ sudo service nginx stop
…and check to see if port 80 is open and in use.
$ netstat -na | grep ':80.*LISTEN'
If you don’t seen any output… congrats! You’re ready to go!
$ cd /opt/letsencrypt $ ./letsencrypt-auto certonly --standalone
You’ll see a few things initialize, and you’ll be asked for a few bits of information. If this is your first time setting up, you’ll be asked for your email address. You’ll use this to receive notices and any recovery options, so make sure it’s valid and hit <OK>.
Then a terms of service screen. Read the terms and click <Agree>.
Now, enter the domain names you want to secure. If you have multiple subdomains (www vs non-www) enter them both. I usually enter the root top level domain (non-www) first, but that’s my preference:
Let the command finish running. You should see a large wall of text with a few important pieces of information:
- Location of the saved certificate chain and keys:
- Expiration date of the certificate
You’ll notice that the certificate expires quickly – 90 days. We’ll automate the renewal process later in the tutorial.
You’ll also notice, if you list the location above…
$ sudo ls /etc/letsencrypt/live/yourdomain.com
That there are four files:
- cert.pem – your domain’s certificate
- chain.pem – the Let’s Encrypt chain certificate
- fullchain.pem – a concatenated (combined) file of cert.pem and chain.pem
- privkey.pem – your certificate’s private key
You’ll need fullchain.pem and privkey.pem, so mentally note where those are: