In this post I'll address one specific task: obtaining a manual certificate from Let's Encrypt
Who is this for?
If you don't have direct command line access, or the necessary permissions to install Let's Encrypt on your webserver; then you won't be able to obtain a certificate using the automated process.
If you can install Let's Encrypt on your webserver, you should. It simplifies the process down to a single command. You'll also enjoy the benefits of being able to setup an auto renew process directly on the machine serving the certificate.
I'll detail this on OS X, but the commands used should be identical on a Linux machine, and very similar on Windows.
First you'll need to download Let's Encrypt, as detailed on their own guide page
git clone https://github.com/letsencrypt/letsencrypt
Now initiate the manual process by asking for certonly (i.e. don't also install on current machine), with the manual flag (to verify ownership yourself).
./letsencrypt-auto certonly --manual
You'll be asked for your account password so Let's Encrypt can run with root privileges. If all goes well you'll see the following screen.
Obviously, use your own domain here (remembering to include the www subdomain, and any others you'll need).
You'll then be informed that your current IP address will be publicly logged. If you're okay with that proceed.
You'll then be greeted with the information required to verify ownership of the domain (this will have to be done for each domain/subdomain you requested a certificate for).
The task here is to have the URL specified, display the content specified which is immediately below it. I use git to interact with my webserver, so I am able to perform changes on my local machine, and push them up to the server. That said, the process I detail is by no means the only way to get this done, and indeed, not having a fixed procedure is the very point of manual mode. The important part of this is, that you need to have a specific URL display specific content.
In my local directory I created the beginning of this URL path.
From here, and for each subsequent challenge I ran the following (obviously replacing the details each time for each respective challenge).
Create a directory for the last part of the path Let's Encrypt will look at, and navigate into it.
Then I used nano to create an index.php (which will be called when the root of the directory is requested). In this file I set the content to be displayed, and the content-type header to JSON –
which appears to be required.Edit: 22 Jul, 2016: This is not required
Here's that index.php file
From here I simply push the changes live via git, and copy-pasted the URL specified by Let's Encrypt into the browser to verify everything was being returned correctly.
Once that was verified, I finally hit enter within the Let's Encrypt window and repeated the same process to verify the domain (without www).
If all went well, a success message should appear indicating you've authenticated ownership of the domains.
If you need a certificate.pfx to upload, then you'll need to create one with open SSL. Navigate to the directory Let's Encrypt told you about, you may also need to prefix that with sudo – the files were probably created with root only access.
sudo cd /etc/letsencrypt/live/www.aidanwoods.com/
Then create a certificate with open SSL as follows
sudo openssl pkcs12 -export -out “certificate.pfx” -inkey “privacy.pem” -in “cert.pem” -certfile “chain.pem”
You'll be prompted to create a password for the certificate. Once you've chosen one, you'll find a certificate.pfx file in that same directory ready to use on your webserver.
For me in Azure, it was just a case of uploading the certificate, and assigning it to both the www and 'naked' domain on my website.
Questions, clarifications, corrections? Contact me on Twitter @aidantwoods