Generation of a free Let's Encrypt TLS certificate

Finally, the first step towards TLS ubiquity.

Posted by Mike Apted on January 1, 2016 is a free, automated, and open Certificate Authority and is now in Public Beta. It's a little rough around the edges at this point but it allows you to generate your own browser trusted TLS certificates for domains you have control over.

One of the "features" of Let's Encrypt is that the certificates are only valid for 90 days, so that is something to be aware of. Their goal is to provide automatic renewal and view this shorter lifecycle as a benefit, removing compromised certificates from circulation on a regular basis. They are also working to provide automation around initial certificate request, generation and install for major web servers.

In this case I wanted a certificate for use with this site (AWS CloudFront / S3 hosted) so I used the certificate only and manual process. This involves validating a hash string uploaded to a specific file on the domain we want to generate the certificate for.

I found it challenging to get the client running on Mac/El Capitan so I used a Vagrant box to simplify and contain that process.

Launch a Vagrant box

You can get into the details on Vagrant install and setup on their site, but the short strokes are:

$ mkdir letsencrypt
$ cd letsencrypt
$ vagrant init
$ vagrant box add hashicorp/precise32

At this point we edit the Vagrantfile that was created and modify: = "base"

to: = "hashicorp/precise32"

Now the box is ready to be bootstrapped and brought to life:

$ vagrant up

Once the box setup is complete we can shell into our new virtual machine with:

$ vagrant ssh

Install Let’s Encrypt

Now that we are in our virtual Ubuntu (or other) machine, we install the Let's Encrypt client as per the directions on their website. We are also going to need Git so we can get all this done with:

$ sudo apt-get install git
$ git clone
$ cd letsencrypt
$ ./letsencrypt-auto --help

Generate the certficate

We are going to use the certonly and --manual options for the Let's Encrypt, as we aren't doing this on the web server where the certificate will be used.

$ ./letsencrypt-auto certonly -d --manual

This will launch an interactive process where we agree to have our IP address logged, and then are given a filename and hash to place on the site for verification that we control the domain we are generating the certificate for. Automatic verification won't work in our case as the site is hosted using AWS CloudFront and S3. Once we have created the necessary file and uploaded it to our bucket we complete the Let's Encrypt interactive process and are provided with the paths to our private key, certificate and intermediate chain which we can now use to secure our site.




letsencrypt tls security vagrant