Let's Encrypt Beta: My Experience

2015-12-26 #Cloudflare #Let's Encrypt

After recently being accepted into the Let’s Encrypt beta (this post was originally written when it was not in public beta) I’ve finally managed to set it up. The email they send you contains some pretty simple instructions:

git clone https://github.com/letsencrypt/letsencrypt
cd letsencrypt
./letsencrypt-auto --agree-dev-preview --server \
  https://acme-v01.api.letsencrypt.org/directory auth

I’ve detailed the process I went through below.

How I did it

First, create a new directory somewhere on your server (I did mine in /opt) and clone the Let’s Encrypt client :

root@test-02:/opt# git clone https://github.com/letsencrypt/letsencrypt
Cloning into 'letsencrypt'...
remote: Counting objects: 23679, done.
remote: Compressing objects: 100% (145/145), done.
remote: Total 23679 (delta 90), reused 0 (delta 0), pack-reused 23534
Receiving objects: 100% (23679/23679), 6.15 MiB | 9.36 MiB/s, done.
Resolving deltas: 100% (16516/16516), done.
Checking connectivity... done.
root@test-02:/opt#

After that cd into the directory and start the client:

root@test-02:/opt# cd letsencrypt
root@test-02:/opt/letsencrypt# ./letsencrypt-auto --agree-dev-preview --server \
>       https://acme-v01.api.letsencrypt.org/directory auth

Once it installs a whole lot of dependencies we’re presented with this lovely splash screen:

Let’s Encrypt Welcome Sreen

After this I mashed enter through an agreement I was presented with an error since Nginx was listening on port 80, oh no! This meant I wasn’t able to use the default automatic registration method .

No matter, I’ll use the webroot support since Nginx support is still a little buggy as of writing (November 2015). To do this I simply add the --webroot switch (in my case I put the data in /var/www/letsencrypt)

After that I was presented with some more options:

Let’s Encrypt Beta - Webroot Options

And yet another error:

Failed authorization procedure. mooash.me (http-01): unauthorized :: The client lacks sufficient authorization :: Error parsing key authorization file: Invalid key authorization: 190 parts, www.mooash.me (http-01): unauthorized :: The client lacks sufficient authorization :: Error parsing key authorization file: Invalid key authorization: 190 parts

IMPORTANT NOTES:
 - The following 'unauthorized' errors were reported by the server:

   Domains: mooash.me, www.mooash.me   Error: The client lacks sufficient authorization

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A record(s) for that domain
   contain(s) the right IP address.

This was because I’m behind CloudFlare so my domains didn’t resolve to the server I’m trying to install it on, doh! I had to disable it and wait for the DNS changes to propagate (roughly 20-30 minutes depending on your TTL).

After that, I’m good to go. Since I’m not placing the authorisation files directly into my webroot I had to setup a location block in Nginx:

location '/.well-known' {
	alias /var/www/letsencrypt/.well-known;
}

And after all this, we’ve got our certs!

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/mooash.me/fullchain.pem. Your cert will expire
   on 2016-02-11. To obtain a new version of the certificate in the
   future, simply run Let's Encrypt again.

Conclusion

Over all, the process was pretty painless considering I now have a free valid SSL certificate thats valid across most (if not all) browsers!