Let's Encrypt - Free, Trusted TLS for Everybody

Let’s Encrypt is a new certification authority (CA) providing free TLS certificates. Just recently they entered Public Beta. Reason enough to give it a try… They claim to automate the main steps of obtaining a certificate. And indeed, the procedure turns out to be fairly easy. Let’s Encrypt provides a client software hosted on github that’s doing all the hard work for you. The software comes with a couple of plugins that aim to obtain and install certificates with a running web server. But as it currently still is beta software, some of the plugins are marked as experimental or might not work. I’m running Nginx and refrained from using the experimental nginx plugin. Instead I used the standalone plugin which will start an agent including a webserver to communicate with the CA. It will prove that you actually control the domain (Domain Validation). Therefor the agent’s webserver will try to bind port 80 and 443 as callback endpoints for Let’s Encrypt’s backend system. This means you will have to stop your webserver for the time running the client software. If you can’t or don’t want to stop your webserver you should take a look at the webroot or manual plugins.

Anyway, to cut a long story short, here is what worked for me:

$ git clone https://github.com/letsencrypt/letsencrypt
$ cd letsencrypt
$ ./letsencrypt-auto --help
$ 
$ sudo service nginx stop
$ sudo ./letsencrypt-auto certonly --standalone -d layereight.de
$ sudo service nginx start

In case everything went well you will find your certificates in /etc/letsencrypt/live/layereight.de/. Currently they are only valid for 90 days, probably to minimize risk in case of abuse. Another interesting fact is that the whole process currently also only works with IPv4, which means with the DNS A record for your domain.