Let’s Encrypt is a method to get a free signed certificate with the intent of allowing to use end-to-end encryption between the server (web, mail etc.) and the client. Important when you are in an Internet Cafe or HotSpot at an airport.
To get a certificate, you have to proof that you own DNS or the web server for the domain you want to use the certificate for.
There’s a complete documentation about the protocol ACME around it and clients which use it to make this easy for normal users without having to mess with manually created certificates. I used the “le” client:
git clone https://github.com/Neilpang/le cd le ./le.sh issue dns DOMAIN HOST1_OF_THE_DOMAIN,HOST2_OF_THE_DOMAIN ec-384
DOMAIN is your domain, e.g. studiokubota.com. HOSTS_OF_THE_DOMAIN is a comma separated list of hosts of said domain, e.g. www.studiokubota.com, mail.studiokubota.com etc.
When done, I had to set some TXT records for my domain to confirm that I control the DNS zone I request certificates for. Then about 10min later:
./le.sh renew DOMAIN
confirms everything and creates properly signed certificates in ~/.le/DOMAIN/
Note that the life time of this certificate is relatively short: 3 months, so a renew command needs to be run once per quarter at least.
$ openssl x509 -in studiokubota.com.cer -noout -text Certificate: Data: Version: 3 (0x2) Serial Number: xx:xx:2c:8d:6c:a3:06:12:2e:c8:03:3c:91:xx:xx:xx:xx:xx Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X1 Validity Not Before: Feb 25 07:40:00 2016 GMT Not After : May 25 07:40:00 2016 GMT [...]
To use the key/certificate, do:
cp studiokubota.com.cer /etc/ssl/certs/studiokubota.com.pem cp studiokubota.com.key /etc/ssl/private/ chown root:root /etc/ssl/certs/studiokubota.com.pem /etc/ssl/private/studiokubota.com.key chmod go-rwx /etc/ssl/private/studiokubota.com.key c_rehash
You should now see 2 links to the .pem file in /etc/ssl/certs:
root@docker-3:/etc/ssl/certs# ls -la | grep studiokubota lrwxrwxrwx 1 root root 11 Feb 25 12:56 065f4d47.0 -> studiokubota.com.pem lrwxrwxrwx 1 root root 11 Feb 25 12:56 446cb3a7.0 -> studiokubota.com.pem -rw-r--r-- 1 root root 1578 Feb 25 12:47 studiokubota.com.pem