Getting started with Let’s Encrypt (without sudo)

What do you do if you want a Let’s Encrypt free certificate, but don’t have root access to your server?

One pitfall I found through searching too fast:  Don’t go out and use the old diafygi script on GitHub, its features are already in the latest Let’s Encrypt code.

If your webhost has Python, you might even be able to run Let’s Encrypt right on the server.  Mine isn’t set up right, though, so a fresh copy of an ubuntu LiveCD or USB Stick will do to begin. Once you’ve got your LiveCD system up and running, download Let’s Encrypt and extract it where convenient, your choice of:

git clone https://github.com/letsencrypt/letsencrypt

or

wget https://github.com/letsencrypt/letsencrypt/archive/master.zip
unzip master

You will need to enable Universe software to install Let’s Encrypt.  In ubuntu 15.10, the Universe repository is not enabled by default.  the easy way is to select the “Software & Updates” module from the ubuntu menu to select the Universe repository.

Once that hurdle is cleared, fire up Let’s Encrypt in manual mode.

./letsencrypt-auto certonly -a manual -d mydomain.com

After installing support software, LE automatically does everything in the background to get a secure certificate set up for a request to the LE servers. At this point, you’ll be instructed to post public URLs on your site for verification.

These challenges are composed of two parts, separated by a period. The specific domain is tied to the first part, and the second part is the same for each domain. The filename the LE servers are looking for is just the first part, and inside the file all the server wants to see is the whole-two part challenge.

Go to the top-level folder for your particular domain name(s) and run

mkdir .wellknown/acme-challenge
cd .wellknown/acme-challenge
nano (or your favourite text editor) [challengeheader]
[paste or enter entire challenge response line]

The challenge for the certificate must remain there until you have your certificate in hand, so don’t delete any challenges prematurely. You’ll need to repeat this in various combinations if your site has multiple folders and/or multiple domains.

If you have more than one domain/subdomain you are registering with the same certificate, you must have all of the files present before hitting ENTER the last time, which is when LE actually contacts your site to look for the challenge requests. So don’t tap through too fast.

When successful, you will get a set of files that together allow for SSL to your website. Configuring that is another story (I’ll let you know when I’m done!)