How to use certificates from the let's encrypt project?

You can use any of the client implementations that work with let's encrypt on the system .

for example, there is a step by step instruction for an official client.

but I liked the minimalist shell script from the lukas2511 repository, which does not require either elevated privileges for its work, nor the installation of additional programs / packages (everything you need is usually already available in any “server” installation: bash, openssl, curl and utilities from coreutils) .

how I set up this client

1. For security, I created a user letsencrypt (without a password):

   $ sudo adduser --disabled-password letsencrypt 

2. opened a shell session on behalf of this user:

    $ sudo -u letsencrypt -i letsencrypt@host:~$ 

3. cloned the repository with the script and “moved” to the created directory:

    $ git clone https://github.com/lukas2511/letsencrypt.sh.git $ cd letsencrypt.sh 

   If git is not installed, you can download the archive with files and unpack it.

4. copied exemplary config:

    $ cp config.sh.example config.sh 

5. created the domains.txt file for the domain (I need the certificate to have names with and without www ):

    domain.tld www.domain.tld 

   If you need certificates for other domains on the same machine, you can add more lines to this file, one by one for each certificate.

6. created a directory for authentication :

    $ mkdir .acme-challenges 

7. now for the time being it is necessary to return to the http-server settings. You can end the user's session letsencrypt , or rather open another window with a more privileged user shell.

   Alias for /.well-known/acme-challenge must be specified in the http-server settings so that it points to the directory created in the previous paragraph. tentatively it will be /home/letsencrypt/letsencrypt.sh/.acme-challenges .

   1. for nginx in the server section, add the location :

       location /.well-known/acme-challenge { alias /home/letsencrypt/letsencrypt.sh/.acme-challenges; } 

   2. for apache , add the line to the virtualhost section:

       alias /.well-known/acme-challenge /home/letsencrypt/letsencrypt.sh/.acme-challenges 

   this must be done for all domains (more precisely, individual lines in the domains.txt file you created).

   The http server must be restarted after that.

8. Now you can run a script to generate a certificate (s). return to the window where the shell is opened, started as the user letsencrypt (or launch a new one and go to the directory with the script):

    $ ./letsencrypt.sh -c 

   if everything goes fine, the last line of issue will be:

     + Done! 

9. The certificate and key for the domain are generated and are located in the /home/letsencrypt/letsencrypt.sh/certs/domain.tld directory:

    cert.pem privkey.pem 

   in principle, they are symlink to the current versions of these files, which lie in the same directory and in the name of which there is a time stamp. type cert-1453143084.pem .

10. Now you can write these files in the http-server settings:
    • certificate file: /home/letsencrypt/letsencrypt.sh/certs/domain.tld/cert.pem
    • file with the key: /home/letsencrypt/letsencrypt.sh/certs/domain.tld/privkey.pem

11. certificates are updated in the same way as generation: on behalf of the user letsencrypt, go to the directory with the script and run the script with the same parameter - ./letsencrypt.sh -c .

    You can create an appropriate cron task that after a couple of months (certificates are generated for 90 days), execute the script (on behalf of this user and in the required directory) and restart the http-server .