I think Let's Encrypt is great, it's the way forward to a safer web, free of clear text transmissions. Hopefully the companies that have, until today, monopolized the highly expensive SSL certificate market will take a huge blow seeing that Let's Encrypt can stroll right in and offer the same DV certificates for free.
I've seen a large number of people complaining about having to stop their web servers to run the SimpleHTTPServer to verify domain ownership. These people didn't read the documentation that shows that one of the plugins (called
webroot) allows you to specify the web root of the domain(s) you are trying to validate, allowing you to keep your current web server running. Note: both domains must have the same web root.
I've found the graphical interface to all of this quite confusing, and have found a simpler way involving a configuration file for each domain:
cuonic.com.ini). This means that the certificate can be renewed at a regular interval (60 days) without human intervention.
rsa-key-size = 4096 server = https://acme-v01.api.letsencrypt.org/directory text = True authenticator = webroot agree-dev-preview = True agree-tos = True renew-by-default = True email = email@example.com webroot-path = /home/cuonic/cuonic.com
What you need to change:
server will need to be changed when Let's Encrypt leaves the beta stage.
When that's done and saved, time to renew that certificate:
sudo letsencrypt -c [domain.com].ini -d [domain.com] -d [www.domain.com] auth (Example:
sudo letsencrypt -c cuonic.com.ini -d cuonic.com -d www.cuonic.com auth)
You should get the following output:
IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at /etc/letsencrypt/live/[domain.com]/fullchain.pem. Your cert will expire on [date]. To obtain a new version of the certificate in the future, simply run Let's Encrypt again.
Now you can add a cronjob to do all of this automagically every 60 days:
sudo su - crontab -e 0 0 1 */2 * /usr/bin/letsencrypt -c /path/to/config/[domain.com].ini -d [domain.com] -d [www.domain.com] auth
I didn't add
>/dev/null 2>&1 so that I receive an email whenever this is executed (I don't mind an email every 2 months, it's a bit more annoying for cronjobs executed every minute), that way I know whether the process succeeded or not.