My current hosting provider told me they don’t support Let’s Encrypt, but if I download the Let’s Encrypt software and install it on my own device and generate a Let’s Encrypt certificate and its key their SSL support team will install it for me.
Question
How do I install the Let’s Encrypted software on my own device?
Can anyone point me to the instructions to generating a certificate and it’s key please?
Hi @_1uke, it should work on either macOS or Raspbian. It’s better-tested on Linux-based operating systems like Raspbian, although some Raspberry Pi users have reported running out of memory when trying to install Certbot (I guess depending on the specs of their Pis).
This is great news that I have a couple of options on how to generate the certificate and the keys.
Hopefully I can teach myself how to do this and then I can pass this information on to others.
Is there any documentation on how to generate the certificate and keys on both Mac and Raspbian? (I plan on trying both ways and seeing which one works best for me).
If you could point me to some instructions that would be really helpful, hopefully I can follow the instructions and get everything set up.
do I list all the urls in example.com or do I need to run this command for each website.
I’m not 100% clear if it is OK to go ahead and list them all in a single certificate or if I need individual certificates as the websites are not related to each other.
Please note
I will be offline for the next 10 hours or so, but I will come back to pick up your reply.
I really appreciate the help and advice you have given me. Thank you!
When several sites are hosted on the same server, it can be useful to get a single certificate that covers all (or at least several) of those sites’ domains.
Whenever you run certbot certonly, you’ll get a single certificate. If you want that new certificate to cover several domains, all of those domains should be listed with -d parameters. If you want them instead to be covered by separate certificates, you’ll need to run certbot certonly several times.
I’m not using your terms “URL” or “website” because the domain is only one part of the web site. The certificate directly covers domain names, not web sites (for example, in https://www.example.com/foo and https://www.example.com/bar, the domain name is www.example.com).
To learn more about how web servers can host multiple HTTPS sites on the same IP address, you should read about server name indication (SNI) and subject alternative names (SAN). The -d parameters to a single Certbot command provide domain names that will be listed as SANs in the resulting certificate (up to a maximum of 100 names).
I tried to generate a certificate and keys and on both my Mac and on my Raspberry Pi but I seem to be running in to problems and I’m not sure what the issue is.
I was hoping you would take a look at the screenshots below and guide me in the right direction
Hi @_1uke, the command that you used is wrong in three ways:
-d takes a domain name, not a URL. Instead of -d http://example.com/, you should write -d example.com
-w has to point at the directory that your web server is serving pages out of…
… which is only applicable when your web server is running on the same computer as Certbot, which is not the case here, so --webroot can’t be used at all. Instead, you should be using --manual when getting the certificate on a separate computer from the web server.
For the Raspberry Pi case, I don’t remember if Certbot is available in the repositories or not, and it might be called by the older name of letsencrypt if it is. So you could try
sudo apt-get install certbot (without the -t jessie-backports)
and if that doesn’t work
sudo apt-get install letsencrypt
and if that doesn’t work, follow the example at https://certbot.eff.org/#pip-other, except with the --manual form that I mentioned above instead of --webroot.
You ran “certbot …” rather than “sudo certbot …” which would run it with root permissions. can you try running again with “sudo” in front of the command (it will prompt for your password )
I think we are there but I have a few quick follow up questions and I just wanted to check these things out with you.
This questions relate to the screen shots,
Do I have to provide an email address? I am quite happy to mark my calendar to remind myself and don’t need certbot to remind me.
My inbox is pretty full already, is it worth me getting updates from the EFF I would be happy to regularly check their website to see what the latest news is.
This is my biggest concern I have always been told it is a very bad idea to share your IP address. Should I really be agreeing to share my IP address publicly? Anything I need to know before I go ahead and do this or is it better avoided?
Thank you for helping me understand this last few technicalities
Well. There are thousands of websites and other services that know your IP addresses. And there are only 4 billion IPv4 addresses, so anyone can guess yours plus or minus 2 billion. It's up to you whether associating your device's public IP address with your certificates is considered acceptable. It's unlikely to be an issue for most people, especially if your IP changes regularly anyway, but it is a consideration if you're a high-value target of some sort.
At the moment, while Let's Encrypt asks for permission to share your IP address, they do not yet do it.
As the thread you linked to clarifies, this warning appears when using manual mode because the IP address of (what might be) your personal computer gets logged by Let's Encrypt as the certificate requestor, and might potentially be published in the future as part of anti-fraud measures. When you are using Certbot or other clients directly on your web server, this warning doesn't appear because your web server will usually already be associated with its public address by the DNS.
Thank you to you all for replying to me and especially to you @schoen, for sticking with me and answering all my questions. This is a great help as you are helping me understand things with greater clarity.
Update
You would be right I would be using my person computer.
Am I correct in thinking that it could be a bad thing to have the IP my personal computer logged and potential made public?
Any thoughts on what the potential risks and dangerous are?
Thanks again for your continued help and helping me do everything correctly
Having your IP address publicly disclosed is sometimes a risk in terms of being a target for DDoS attacks (if criminals dislike you and want to prevent you from using the Internet), in terms of people trying to hack your computer (though this isn’t the largest vector for hacking attempts today, as opposed to things like e-mail attachments), and in terms of web site operators being more easily able to identify you in their logs even if you don’t log in. It can also in some cases reveal your physical location (companies are trying to make databases that perform this mapping); if revealed regularly, it also has significant privacy consequences because people can tell when you were in place X as opposed to place Y, and when two particular people were or weren’t in the same location together. Those are the main risks that I’m aware of.
As discussed in the other thread, Let’s Encrypt currently doesn’t publish the IP addresses that certificates are requested from, but might decide to do so in the future to enable some kind of anti-fraud analysis and research to help people discover whether or how fake certificates are being requested. So the disclosure risk is also currently hypothetical, but may become real in the future.
Do you know if this service logs my I.P. address with a view to possibly making it public? It wasn’t mentioned as I went through the process so I am assuming it doesn’t.
It's up to you whether associating your device's public IP address with your certificates is considered acceptable. It's unlikely to be an issue for most people, especially if your IP changes regularly anyway, but it is a consideration if you're a high-value target of some sort.