How do I generate the Let's Encrypt certificate and key on my own device? [More info inside]


Hello Let’s Encrypt forum :slight_smile:

Background information

My current hosting provider told me they don’t support Let’s Encrypt, but if I download the Let’s Encrypt software and install it on my own device and generate a Let’s Encrypt certificate and its key their SSL support team will install it for me.


How do I install the Let’s Encrypted software on my own device?

Can anyone point me to the instructions to generating a certificate and it’s key please?

Additional info

I have a shared hosting plan with Namecheap.

Thanks in advance for your help and suggestions. :blush:


Hi @_1uke,

If you’re used to using a Unix command line, you can try using Certbot in manual mode.

If not, you might want to try the web client at

One thing to bear in mind is that you’ll need to repeat the process at least every 90 days, to replace the certificate when it expires.


Hello @schoen,

Thank you for the super quick and friendly reply.

I use a Mac and have access to a Raspberry Pi running Raspbian (which is an operating system based on operating system based on Debian).

Would I be able to generate the certificate and key on either of these machines?

I have never done this process before so apologies if some of my questions seem a little obvious.

Thanks again for your time and help :slight_smile:


Hi @_1uke, it should work on either macOS or Raspbian. It’s better-tested on Linux-based operating systems like Raspbian, although some Raspberry Pi users have reported running out of memory when trying to install Certbot (I guess depending on the specs of their Pis).


Thanks again for replying to my questions @schoen

This is great news that I have a couple of options on how to generate the certificate and the keys.

Hopefully I can teach myself how to do this and then I can pass this information on to others.

Is there any documentation on how to generate the certificate and keys on both Mac and Raspbian? (I plan on trying both ways and seeing which one works best for me).

If you could point me to some instructions that would be really helpful, hopefully I can follow the instructions and get everything set up.

Thank you again for you help and support.


You can install Certbot using the instructions at

For generating the certificate, try running

certbot certonly --manual -d -d

(If you’re running certbot as ./certbot-auto, substitute ./certbot-auto in the command line here.)

The -d parameters should list all of the domains that you want to be covered by the certificate.


Thank you for providing me with all this information and help @schoen

I have a couple of websites that I run as a hobby. But they are not related to one another. They are separate projects.

When using certbot certonly --manual -d -d

do I list all the urls in or do I need to run this command for each website.

I’m not 100% clear if it is OK to go ahead and list them all in a single certificate or if I need individual certificates as the websites are not related to each other.

Please note

I will be offline for the next 10 hours or so, but I will come back to pick up your reply.

I really appreciate the help and advice you have given me. Thank you!


Hi @_1uke,

When several sites are hosted on the same server, it can be useful to get a single certificate that covers all (or at least several) of those sites’ domains.

Whenever you run certbot certonly, you’ll get a single certificate. If you want that new certificate to cover several domains, all of those domains should be listed with -d parameters. If you want them instead to be covered by separate certificates, you’ll need to run certbot certonly several times.

I’m not using your terms “URL” or “website” because the domain is only one part of the web site. The certificate directly covers domain names, not web sites (for example, in and, the domain name is

To learn more about how web servers can host multiple HTTPS sites on the same IP address, you should read about server name indication (SNI) and subject alternative names (SAN). The -d parameters to a single Certbot command provide domain names that will be listed as SANs in the resulting certificate (up to a maximum of 100 names).


Hi @schoen,

I tried to generate a certificate and keys and on both my Mac and on my Raspberry Pi but I seem to be running in to problems and I’m not sure what the issue is.

I was hoping you would take a look at the screenshots below and guide me in the right direction

(Above screenshot from Mac)


(Above screenshot from Raspberry Pi)


Hi @_1uke, the command that you used is wrong in three ways:

  • -d takes a domain name, not a URL. Instead of -d, you should write -d
  • -w has to point at the directory that your web server is serving pages out of…
  • … which is only applicable when your web server is running on the same computer as Certbot, which is not the case here, so --webroot can’t be used at all. Instead, you should be using --manual when getting the certificate on a separate computer from the web server.

An example might look something like

certbot certonly --manual -d -d

to get a certificate in this “manual” way to cover and


For the Raspberry Pi case, I don’t remember if Certbot is available in the repositories or not, and it might be called by the older name of letsencrypt if it is. So you could try

  • sudo apt-get install certbot (without the -t jessie-backports)

and if that doesn’t work

  • sudo apt-get install letsencrypt

and if that doesn’t work, follow the example at, except with the --manual form that I mentioned above instead of --webroot.


Hi @schoen,

Thanks again for continuing to support me and help me get this figured out.

I feel like we are making progress but I keep seeming to stumble at these last few challenges.

I just ran the script that you prompted me to run but it is returning an error again.

Please could you take a look and let me know what the problem is. (See image below).

Hopefully we will have this figured out soon :slight_smile:

Thanks again for helping me work this out :blush:


You ran “certbot …” rather than “sudo certbot …” which would run it with root permissions. can you try running again with “sudo” in front of the command (it will prompt for your password )


Thanks for getting back to me @serverco and @schoen

I think we are there but I have a few quick follow up questions and I just wanted to check these things out with you.

This questions relate to the screen shots,

  1. Do I have to provide an email address? I am quite happy to mark my calendar to remind myself and don’t need certbot to remind me.

  2. My inbox is pretty full already, is it worth me getting updates from the EFF I would be happy to regularly check their website to see what the latest news is.

  3. This is my biggest concern I have always been told it is a very bad idea to share your IP address. Should I really be agreeing to share my IP address publicly? Anything I need to know before I go ahead and do this or is it better avoided?

Thank you for helping me understand this last few technicalities :slight_smile:


No. :slight_smile:

Well. There are thousands of websites and other services that know your IP addresses. And there are only 4 billion IPv4 addresses, so anyone can guess yours plus or minus 2 billion. :stuck_out_tongue_winking_eye: It’s up to you whether associating your device’s public IP address with your certificates is considered acceptable. It’s unlikely to be an issue for most people, especially if your IP changes regularly anyway, but it is a consideration if you’re a high-value target of some sort.

At the moment, while Let’s Encrypt asks for permission to share your IP address, they do not yet do it.


As the thread you linked to clarifies, this warning appears when using manual mode because the IP address of (what might be) your personal computer gets logged by Let’s Encrypt as the certificate requestor, and might potentially be published in the future as part of anti-fraud measures. When you are using Certbot or other clients directly on your web server, this warning doesn’t appear because your web server will usually already be associated with its public address by the DNS.



Thank you to you all for replying to me and especially to you @schoen, for sticking with me and answering all my questions. This is a great help as you are helping me understand things with greater clarity.


You would be right I would be using my person computer.

Am I correct in thinking that it could be a bad thing to have the IP my personal computer logged and potential made public?

Any thoughts on what the potential risks and dangerous are?

Thanks again for your continued help and helping me do everything correctly :slight_smile:


Hi @_1uke,

Having your IP address publicly disclosed is sometimes a risk in terms of being a target for DDoS attacks (if criminals dislike you and want to prevent you from using the Internet), in terms of people trying to hack your computer (though this isn’t the largest vector for hacking attempts today, as opposed to things like e-mail attachments), and in terms of web site operators being more easily able to identify you in their logs even if you don’t log in. It can also in some cases reveal your physical location (companies are trying to make databases that perform this mapping); if revealed regularly, it also has significant privacy consequences because people can tell when you were in place X as opposed to place Y, and when two particular people were or weren’t in the same location together. Those are the main risks that I’m aware of.

As discussed in the other thread, Let’s Encrypt currently doesn’t publish the IP addresses that certificates are requested from, but might decide to do so in the future to enable some kind of anti-fraud analysis and research to help people discover whether or how fake certificates are being requested. So the disclosure risk is also currently hypothetical, but may become real in the future.


@schoen, thanks again for helping me understand what is happening and how it could possibly impact me.

I ended up using to generate my certificate.

Do you know if this service logs my I.P. address with a view to possibly making it public? It wasn’t mentioned as I went through the process so I am assuming it doesn’t.

Anything else I should know about ?