Skip to content

Let’s Encrypt: Manually

Watching the tech industry moving toward SSL certs that are both free and accessible ( with a little know-how ) has been a joy. Have SSH access to your server? Great, get yourself setup with Certbot and you are good to go. But, what if you need to generate a free SSL when you don’t have SSH access and you don’t want to pay $10/year for that blog that may or may not exist beyond a year? 😄

Install Certbot

Assuming you have a macOS machine or a VM getting started is pretty straightforward. Open Terminal and let’s get started.

I always update Homebrew before moving on to the install and I recommend verifying you are getting it from a legitimate source:

brew update
brew info certbot

# verify it's from https://certbot.eff.org/

brew install certbot

Request the SSL cert

Next, let’s setup the things relevant to us.

CERTBOT_DOMAIN="mysite.com"
CERTBOT_EMAIL="email@mysite.com"
CERTBOT_TMPDIR=/tmp/letsencrypt/${CERTBOT_DOMAIN}

Now just copy and paste the certbot command.

mkdir -p $CERTBOT_TMPDIR

certbot certonly --manual -d *.$CERTBOT_DOMAIN -d $CERTBOT_DOMAIN --agree-tos --manual-public-ip-logging-ok --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory --email $CERTBOT_EMAIL --rsa-key-size 4096 --config-dir $CERTBOT_TMPDIR --work-dir $CERTBOT_TMPDIR --logs-dir $CERTBOT_TMPDIR --no-eff-email

Note, you could pass the --register-unsafely-without-email command but that’s strongly discouraged per documentation for a good reason.

--register-unsafely-without-email 

Specifying this flag enables registering an account with no email address. This is strongly discouraged, because in the event of key loss or account compromise you will irrevocably lose access to your account. You will also be unable to receive notice about impending expiration or revocation of your certificates. Updates to the Subscriber Agreement will still affect you, and will be effective 14 days after posting an update to the web site. (default: False)

You should see the following:

Performing the following challenges:
dns-01 challenge for mysite.com
dns-01 challenge for mysite.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.mysite.com with the following value:

GfhN-irpaTjOB5ov0BjsNYx7x6nd-HaS-If2ZJTETGc

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Deploy the new DNS TXT entry to your site and go back to Terminal. Repeat the process twice and you should see a “Congratulations!” in Terminal.

Deploy the SSL cert

The last piece is of course to deploy the SSL cert which assumes you already know how to do so in Control Panel > Zone Editor or the like.

Note the expirations on current SSL certs is around 3 months at which point one may need to renew existing certs of generating from scratch. A topic for another day.

Leave a Reply

Your email address will not be published. Required fields are marked *