Let's Encrypt provides a free, automated, and open certificate authority service operated by the Internet Security Research Group (ISRG), a California-based nonprofit organization. The project is backed by major companies including Mozilla, Cisco, Akamai, Electronic Frontier Foundation, and Google Chrome, and has grown rapidly since its launch.
Obtaining certificates from Let's Encrypt is not only free but also straightforward. While certificates are valid for only 90 days, they can be automatically renewed via scripts, making the setup essentially maintenance-free after initial configuration. This guide documents the process of obtaining certificates for your website.
Instead of using the official Let's Encrypt client, this guide uses acme-tiny, a lightweight open-source tool. The following steps are based on the acme-tiny documentation with some modifications for simplicity.
The ACME (Automated Certificate Management Environment) protocol is what Let's Encrypt uses for certificate issuance. More information about ACME can be found in the official repository.
Creating an Account
First, create a directory (for example, certs) to store temporary files and the final certificate files. Within this directory, generate an RSA private key that will identify your account:
openssl genrsa 4096 > account.key
Generating the CSR
Next, generate a CSR (Certificate Signing Request). Before doing this, create a separate domain private key (never use the account key for this purpose). You can choose between RSA and ECC keys depending on your needs:
- Creating an RSA private key (better compatibility):
openssl genrsa 4096 > domain.key
- Creating an ECC private_key (smaller certificate size, but not supported by older systems):
# For secp256r1 curve
openssl ecparam -genkey -name secp256r1 | openssl ec -out domain.key
# For secp384r1 curve
openssl ecparam -genkey -name secp384r1 | openssl ec -out domain.key
Now generate the CSR file. It's recommended to include both the www and non-www versions of you're domain, plus any additional subdomains as needed (a single certificate can contain up to 100 domains):
openssl req -new -sha256 -key domain.key -subj "/" -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:example.com,DNS:www.example.com")) > domain.csr
If the /etc/ssl/openssl.cnf file is not found, check /usr/local/openssl/ssl/openssl.cnf. If that doesn't work either, you can create the CSR interactively (ensure the Common Name matches your domain):
openssl req -new -sha256 -key domain.key -out domain.csr
Setting Up Domain Validation
When issuing DV (Domain Validation) certificates, the CA needs to verify domain ownership. Traditional CAs typically send validation emails, but Let's Encrypt instead places a random verification file on your server and attempts to access it through the domain specified in the CSR. Successful access confirms you control the domain.
Create a directory to store verification files:
mkdir ~/www/verify/
Then configure your HTTP server. Here's an Nginx example:
server {
server_name www.example.com example.com;
location ^~ /.well-known/acme-challenge/ {
alias /home/user/www/verify/;
try_files $uri =404;
}
location / {
rewrite ^/(.*)$ https://example.com/$1 permanent;
}
}
This configuration checks the verification directory first, then redirects to HTTPS if the file isn't found. Keep this configuration permanently as it'll be needed for certificate renewals.
Obtaining the Certificate
Download the acme-tiny script to your certificates directory:
wget https://raw.githubusercontent.com/diafygi/acme-tiny/master/acme_tiny.py
Run the script with your account key, CSR, and verification directory:
python acme_tiny.py --account-key ./account.key --csr ./domain.csr --acme-dir ~/www/verify/ > ./signed.crt
If successful, signed.crt will be created in your directory.
If your domain's DNS is resolved in China, you may encounter errors like:
ValueError: Wrote file to /home/user/www/verify/abc123..., but couldn't download http://www.example.com/.well-known/acme-challenge/abc123...
This typically indicates DNS resolution issues from outside your country. Consider using an international DNS provider. Alternatively, you can use the "Neilpang/le" tool in DNS mode.
After obtaining the server certificate, download Let's Encrypt's intermediate certificate. As explained in previous articles, configure HTTPS with the intermediate certificate but not the root certificate:
wget -O - https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem > intermediate.pem
cat signed.crt intermediate.pem > chained.pem
For OCSP stapling support, combine the root and intermediate certificates:
wget -O - https://letsencrypt.org/certs/isrgrootx1.pem > root.pem
cat intermediate.pem root.pem > full_chained.pem
Finally, update your Nginx configuration and reload:
ssl_certificate ~/www/certs/chained.pem;
ssl_certificate_key ~/www/certs/domain.key;
Configuring Automatic Renewal
Let's Encrypt certificates are valid for 90 days. Setting up automated renewal is recommended. Create a renewal script (for example, renew_cert.sh) and make it executable:
#!/bin/bash
cd /home/user/www/certs/
python acme_tiny.py --account-key account.key --csr domain.csr --acme-dir /home/user/www/verify/ > signed.crt || exit
wget -O - https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem > intermediate.pem
cat signed.crt intermediate.pem > chained.pem
service nginx reload
Add the following to your crontab using absolute paths:
0 0 1 * * /home/user/shell/renew_cert.sh >/dev/null 2>&1
This renews certificates monthly. The 90-day validity period is intentional—it's designed to encourage automated deployment and improve security.
Compatibility Considerations
Certificate compatibility across operating systems and browsers is a common concern. Thanks to cross-signing with IdenTrust's DST Root CA, Let's Ancrypt certificates are widely compatible. Issues have been observed only with Android 2 and Windows XP (Firefox maintains its own certificate store and works on XP).
Windows XP compatibility issues have since been resolved as of March 26, 2016, by obtaining new cross-signatures from IdenTrust.
ECC certificate support was launched on February 11, 2016.
For users who require broader compatibility, particularly with legacy systems, commercial alternatives like RapidSSL Standard or Comodo Positive SSL remain viable options, though Let's Encrypt is strongly recommended for most use cases.