New information:
Requesting a certificate for your domains on an apache webserver running on Debian server is extremely easy.
Install certbot, a utility to help request letsencrypt certificates:
apt-get install python-certbot-apache -t jessie-backports
Now run it:
certbot --apache
This will start a curses interface to select sites whose certificates you want to renew.
This works very well and worked when the certicate module of webmin was botched up.
Older post:
This tutorial describes how to create a new SSL certificate using Let’s Encrypt (Public beta as of 06/12/2015).
Let’s Encrypt doku is at: http://letsencrypt.readthedocs.org/en/latest/using.html#installation
Let’s create a new droplet at Digitalocean to test Let’s Encrypt.
Now login via ssh to the server:
Install git, an editor (I prefer emacs) and letsencrypt:
apt-get install git emacs git clone https://github.com/letsencrypt/letsencrypt cd letsencrypt
To install and run the client you just need to type:
./letsencrypt-auto certonly --webroot -w /var/www/virtual/maindomain.com/mydomain.in/htdocs/ -d www.mydomain.in -d mydomain.in
IMPORTANT NOTES:
– If you lose your account credentials, you can recover through
e-mails sent to [email protected]
– Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/www.mydomain.in/fullchain.pem. Your cert will
expire on 2016-03-05. To obtain a new version of the certificate in
the future, simply run Let’s Encrypt again.
– Your account credentials have been saved in your Let’s Encrypt
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Let’s
Encrypt so making regular backups of this folder is ideal.
– If like Let’s Encrypt, please consider supporting our work by:Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
Automatically installing letsencrypt certificates for a server running i-mscp control panel:
Once you’ve generated certificates as mentioned above, login to i-mscp,
Go to https://yourcpsite.com:2087/client/domains_manage.php
Next to your domain, click on “Add/Edit SSL Certificate”
Use the contents of the following file for each text box:
Private key -> /etc/letsencrypt/live/www.elephant.in/privkey.pem Certificate -> /etc/letsencrypt/live/www.elephant.in/cert.pem Intermediate certificate(s) -> /etc/letsencrypt/live/www.elephant.in/chain.pem
Manually installing letsencrypt certificates for a server running i-mscp control panel:
The following additional information pertains to manually installing these certificates for a server running i-mscp:
So, you’ve generated a certificate for the site www.elephant.in. The files created are at /etc/letsencrypt/live/www.elephant.in/ and are as followings:
lrwxrwxrwx 1 root root 36 Dec 6 09:12 cert.pem -> ../../archive/www.elephant.in/cert1.pem lrwxrwxrwx 1 root root 37 Dec 6 09:12 chain.pem -> ../../archive/www.elephant.in/chain1.pem lrwxrwxrwx 1 root root 41 Dec 6 09:12 fullchain.pem -> ../../archive/www.elephant.in/fullchain1.pem lrwxrwxrwx 1 root root 39 Dec 6 09:12 privkey.pem -> ../../archive/www.elephant.in/privkey1.pem
Copy these as follows:
cp /etc/letsencrypt/live/www.elephant.in/privkey.pem /var/www/imscp/gui/data/certs/elephant.in.privkey.pem cp /etc/letsencrypt/live/www.elephant.in/cert.pem /var/www/imscp/gui/data/certs/elephant.in.cert.pem cp /etc/letsencrypt/live/www.elephant.in/chain.pem /var/www/imscp/gui/data/certs/elephant.in.chain.pem
Now edit the file /etc/apache2/sites-enabled/elephant.in_ssl.conf:
Add/Edit the following directives:
SSLEngine On SSLCertificateFile /var/www/imscp/gui/data/certs/elephant.in.cert.pem SSLCertificateChainFile /var/www/imscp/gui/data/certs/elephant.in.chain.pem SSLCertificateKeyFile /var/www/imscp/gui/data/certs/elephant.in.privkey.pem
Restart apache2:
service apache2 restart
Now reload your website, and you will see the following certificate information:
SSLEngine On SSLCertificateFile /var/www/imscp/gui/data/certs/elephant.in.cert.pem SSLCertificateChainFile /var/www/imscp/gui/data/certs/elephant.in.chain.pem SSLCertificateKeyFile /var/www/imscp/gui/data/certs/elephant.in.privkey.pem
If your site shows invalid issuer information, you havent done these steps correctly.
Renewing certificates
Let’s Encrypt CA issues short lived certificates (90 days). Make sure you renew the certificates at least once in 3 months.
For renewing, use the same command as you did when you generated the certificates. For automating renewal use --renew-by-default.
Eg:
./letsencrypt-auto certonly --webroot -w /var/www/virtual/joel.co.in/elephant.in/htdocs/ -d www.elephant.in -d elephant.in --renew-by-default