Free certificates? Let’s encrypt!

How to use Let’s encrypt

First at all, ensure your system is accessible from the Internet. For instance, your.domain is accesible at X.X.X.X publicly, so configure your DNS or, if you do not have a DNS provider, register your host at coddns

You need to install certbot utility from Let’s Encrypt

# Centos, Fedora
# Enable epel repositories
dnf install epel-release

# Install certbot
dnf install certbot

# Debian, Ubuntu
apt-get update && apt-get install certbot

After having installed the certbot utility, you can execute following command to get your Let’s encrypt certificate for your.domain

If you have any service already listening in port 80, this command will fail. Stop your TCP:80 services before use this command, or alternatively, launch certbot interactively.
# To generate certificates only and place them
# in /etc/letsencrypt/live/your.domain/ Run:
certbot certonly --standalone -d your.domain 

This command will generate following output:

# certbot certonly --standalone -d
 Saving debug log to /var/log/letsencrypt/letsencrypt.log
 Plugins selected: Authenticator standalone, Installer None
 Starting new HTTPS connection (1):
 Obtaining a new certificate
 Performing the following challenges:
 http-01 challenge for your.domain
 Waiting for verification…
 Cleaning up challenges
 Congratulations! Your certificate and chain have been saved at:
 Your key file has been saved at:
 Your cert will expire on 2020-04-20. To obtain a new or tweaked
 version of this certificate in the future, simply run certbot
 again. To non-interactively renew all of your certificates, run
 "certbot renew"
 If you like Certbot, please consider supporting our work by:
 Donating to ISRG / Let's Encrypt:
 Donating to EFF:           

What am I seeing? At a lower level, Let’s encrypt will connect to our PC on port 80, checking the content of a random generated file. If the connection is established and the content of the file matches some kind of Let’s Encrypt algorithms, then the host is validated and the certificates generated.

So, now, you can use your new valid certificate to encrypt your favorite service, for instance, postfix.

Having your services protected under a valid certificate have never be so easy.