On AWS, you can also use https://github.com/alex/letsencrypt-aws - it works great if you're using both Route 53 and ELB. It uses the dns-01 challenge, which is out-of-band - it adds a text record to your DNS instead of needing to inject content into your server. I prefer that approach.
I am yet to try this, but I never liked the idea that it automatically edits my nginx config. Seeing that it's in Jesse Backports makes me more confident that it does something sane, though. However the Jesse instructions don't say anything about it. Is it that you get asked questions about Nginx when you say "letsencrypt certonly"? Also strange that it doesn't even seem to require sudo to run.
Previous discussion: "Announcing Certbot: EFF's Client for Let's Encrypt"
For those of us on App Engine, here's a good set of instructions: http://blog.seafuj.com/lets-encrypt-on-google-app-engine
I've found the best tool for getting certs from LE is this:
Has anyone tried this on a site with multiple virtual hosts? That's where I ran into my largest issues with applying the certificates.
I just recently re-created my personal wiki: https://wiki.jradd.com
using: https://github.com/JrCs/docker-letsencrypt-nginx-proxy-compa...
This dockerfile/repo made this incredibly easy to scale with nginx/ssl/docker.
Simply add the desired domain name as environment variable when starting your container, and letsencrypt will register your cert, and re-register it at an interval.
I haven't yet tried the other methods posted in this thread, but not sure I will want to, since this was so easy.
It occurred to me that this should probably be integrated with ansible for bringing up servers, and apparently I'm not the first to think so, I found a couple of project, and this one appears to fit the bill quite nicely:
https://github.com/thefinn93/ansible-letsencrypt
Must say I'm not a fan of web first, then fallback (I mean if stand-alone works, then just use that - because that should work for certs used for eg smtp, imaps etc)?
It's interesting OVH just notified all their webhosting customers (I assume VPS & shared hosting) they encrypted all 1.5 million account control panels via Let's Encrypt
Correct me if I'm wrong because I really hope I'm wrong. Doesn't no question asked certificates completely undermine certificates and make man in the middle attacks remarkably simple on 'secure' sites?
I played with Caddy a little and had an SSL for a domain I already have one for without even asking for one.
Is this not a problem?
What options do IIS/Windows users have?
Simp_le does the same thing. I use simp_le with Haproxy on one server and nginx sni on another. Works very well.
Has anyone used this on the FreeBSD servers offered by NearlyFreeSpeech.net? Tips?
I'm having problems using letsencrypt with domains with multiple dns A-records (round robin). What would be the standard way to issue certificates for a cluster?
The webserver Caddy also offers similar functionality
This example script assumes that the server has a running webserver, either Apache or Nginx. Since it doesn't use a package install for Certbot, this script should work on most Linux distributions. It installs Certbot, obtains the certificate, and sets up the cron task for renewal.
---
#!/bin/bash
#
# This sets up Let's Encrypt SSL certificates and automatic renewal
# using certbot: https://certbot.eff.org
#
# - Run this script as root.
# - A webserver must be up and running.
#
# Certificate files are placed into subdirectories under
# /etc/letsencrypt/live/*.
#
# Configuration must then be updated for the systems using the
# certificates.
#
# The certbot-auto program logs to /var/log/letsencrypt.
#
set -o nounset
set -o errexit
# May or may not have HOME set, and this drops stuff into ~/.local.
export HOME="/root"
export
PATH="${PATH}:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
# No package install yet.
wget https://dl.eff.org/certbot-auto
chmod a+x certbot-auto
mv certbot-auto /usr/local/bin
# Install the dependencies.
certbot-auto --noninteractive --os-packages-only
# Set up config file.
mkdir -p /etc/letsencrypt
cat > /etc/letsencrypt/cli.ini <<EOF
# Uncomment to use the staging/testing server - avoids rate limiting.
# server = https://acme-staging.api.letsencrypt.org/directory
# Use a 4096 bit RSA key instead of 2048.
rsa-key-size = 4096
# Set email and domains.
email = admin@example.com
domains = example.com, www.example.com
# Text interface.
text = True
# No prompts.
non-interactive = True
# Suppress the Terms of Service agreement interaction.
agree-tos = True
# Use the webroot authenticator.
authenticator = webroot
webroot-path = /var/www/html
EOF
# Obtain cert.
certbot-auto certonly
# Set up daily cron job.
CRON_SCRIPT="/etc/cron.daily/certbot-renew"
cat > "${CRON_SCRIPT}" <<EOF
#!/bin/bash
#
# Renew the Let's Encrypt certificate if it is time. It won't do anything if
# not.
#
# This reads the standard /etc/letsencrypt/cli.ini.
#
# May or may not have HOME set, and this drops stuff into ~/.local.
export HOME="/root"
# PATH is never what you want it it to be in cron.
export
PATH="\${PATH}:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
certbot-auto --no-self-upgrade certonly
# If the cert updated, we need to update the services using it. E.g.:
if service --status-all | grep -Fq 'apache2'; then
service apache2 reload
fi
if service --status-all | grep -Fq 'httpd'; then
service httpd reload
fi
if service --status-all | grep -Fq 'nginx'; then
service nginx reload
fi
EOF
chmod a+x "${CRON_SCRIPT}"
Can this run on Raspbian 7 Apache?
[Edit]: didn't read enough about it, sorry
If, like me, you don't want it to modify your configs files for you, and don't want to turn off the webserver everytime you renew certificates, use Webroot mode.
I updated my guide to setup Nginx + Ubuntu 16.04 + Let's encrypt (Nginx, IPv6, HTTP/2, and A+ rating at SLL Labs):
https://gist.github.com/cecilemuller/a26737699a7e70a7093d4dc...
I hope it helps those that hesitate to use Let's encrypt.