Based on “Install lets encrypt to create SSL certificates

  • sudo apt update && sudo apt upgrade -y
  • sudo apt-get install git
  • sudo git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt
  • `cd /opt/letsencrypt`
  • sudo -H ./letsencrypt-auto certonly --standalone -d yoursubdomain.yourdomain.com
    • enter email for renewal purposes
    • type A to agree with Terms of Service
    • Y or N to share or not share email address with EFF
    • now you should see output like:
      • Obtaining a new certificate
        Performing the following challenges:
        http-01 challenge for yoursubdomain.yourdomain.com
        Cleaning up challenges
      • if you now get error – problem binding to port 80: Could not bind to IPv4 or IPv6 – it mean you have to stop your web server (nginx, apache-tomcat,…) because letsencrypt needs to start its own web server to be able to authenticate your domain
      • if authentication will be OK you will see output:
        Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/yourdomain/fullchain.pem
        Your key file has been saved at: /etc/letsencrypt/live/yourdomain/privkey.pem
        Your cert will expire on 2018-xx-xx. To obtain a new or tweaked version of this certificate in the future, simply run letsencrypt-auto again. To non-interactively renew *all* of your certificates, run “letsencrypt-auto renew”

Renew certificate (based on letsencrypt help):

  • stop webserver on your machine (nginx, apache etc.) because letsencrypt certification tool needs to bind to the ports 443 etc.
  • cd /opt/letsencrypt
  • ./letsencrypt-auto renew
    • output should look like this:
      Requesting to rerun ./letsencrypt-auto with root privileges...
      Saving debug log to /var/log/letsencrypt/letsencrypt.log
      
      - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Processing /etc/letsencrypt/renewal/yourdomain.conf
      - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Cert is due for renewal, auto-renewing...
      Plugins selected: Authenticator standalone, Installer None
      Renewing an existing certificate
      Performing the following challenges:
      tls-sni-01 challenge for yourdomain
      Waiting for verification...
      Cleaning up challenges
      
      - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      new certificate deployed without reload, fullchain is
      /etc/letsencrypt/live/yourdomain/fullchain.pem
      - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      
      - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      
      Congratulations, all renewals succeeded. The following certs have been renewed:
      /etc/letsencrypt/live/yourdomain/fullchain.pem (success)
      - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -