Looking for FAQs

Does Let's Encrypt support certificate issuance for IPv6 and Legacy (IPv4) IP space?

3 Likes

What is HTTPS?
Why should I use HTTPS?

4 Likes
  • I deleted my certificate after hitting a rate limit; can you send me the certificate (and private key)?
5 Likes
  • I got a message that I successfully renewed my certificate; why is my site still showing the old one!
  • I got an e-mail from Let's Encrypt saying that my certificate was going to expire, but I thought it was renewing automatically (or, I thought I renewed it already) (or, my site is showing a newer certificate than the one the warning refers to); what's wrong?
4 Likes

I can login to a root shell on my machine (yes or no, or I don't know): yes? i'm not sure what root shell means..

2 Likes

How do I enable auto renewal (.well-known\acme-challenge) on a .NET , NET CORE site?

Excellent solution at https://medium.com/@xabaras/fixing-lets-encrypt-certificates-renewal-in-net-core-ad2efa10567e from Paolo Montalto.

after searching for days, found this and it just works!!

2 Likes

How do I get Lets Encrypt certificates with CertBot on AWS (elastic beanstalk single instance)

man - this is tough. It seems to change often.

I followed many instructions over many days then unearthed this tucked away in the AWS doco:

This worked on 20 December 2020:

==============================
Complete the following procedures before you install Certbot.

ssh in as ec2-user

  1. Download the Extra Packages for Enterprise Linux (EPEL) 7 repository packages. These are required to supply dependencies needed by Certbot.

a. Navigate to your home directory (/home/ec2-user). Download EPEL with the following command.
sudo wget -r --no-parent -A 'epel-release-*.rpm' Index of /pub/epel/7/x86_64/Packages/e

b. Install the repository packages as shown in the following command.
sudo rpm -Uvh dl.fedoraproject.org/pub/epel/7/x86_64/Packages/e/epel-release-.rpm
c. Enable EPEL as shown in the following command.
sudo yum-config-manager --enable epel

You can confirm that EPEL is enabled with the following command. It should return information similar to the following.
sudo yum repolist all

...
epel/x86_64 Extra Packages for Enterprise Linux 7 - x86_64 enabled: 12949+175
epel-debuginfo/x86_64 Extra Packages for Enterprise Linux 7 - x86_64 - Debug enabled: 2890
epel-source/x86_64 Extra Packages for Enterprise Linux 7 - x86_64 - Source enabled: 0
epel-testing/x86_64 Extra Packages for Enterprise Linux 7 - Testing - x86_64 enabled: 778+12
epel-testing-debuginfo/x86_64 Extra Packages for Enterprise Linux 7 - Testing - x86_64 - Debug enabled: 107
epel-testing-source/x86_64 Extra Packages for Enterprise Linux 7 - Testing - x86_64 - Source enabled: 0
...
past(e ?) https.conf to /etc/nginx/conf.d (might also need an ebs doc)

depending on certificates - might need to edit stuff

Restart Nginx Service

sudo systemctl restart nginx #systemd

Install and run Certbot

This procedure is based on the EFF documentation for installing Certbot on Fedora and on RHEL 7. It describes the default use of Certbot, resulting in a certificate based on a 2048-bit RSA key.

  1. Install Certbot packages and dependencies using the following command.

sudo yum install -y certbot python2-certbot-nginx

  1. Run Certbot.

sudo certbot

  1. At the prompt "Enter email address (used for urgent renewal and security notices)," enter a contact address and press Enter.

  2. Agree to the Let's Encrypt Terms of Service at the prompt. Enter "A" and press Enter to proceed.


  1. Please read the Terms of Service at

  2. https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must

  3. agree in order to register with the ACME server at

  4. https://acme-v02.api.letsencrypt.org/directory


(A)gree/(C)ancel: A9.
10. Which names would you like to activate HTTPS for?
11. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
12 name
13 name

then cron job ==> back up - perhaps to s3
then renew (I direct o/p to a log file with a date stamp so I am sure it happened)

13 1 * * 0 root date >> /var/log/mylogdir/mylog.log && certbot renew --no-self-upgrade >> /var/log/mylogdir/mylog.log && printf "\n= = = = =\n\n\n" >> /var/log/mylogdir/mylog.log

2 Likes

Actually we could probably add a lot of things along these lines for the various cloud providers, like

  • Certificate on the load balancer / CDN vs. Certificate on the back-end server, and where to get one, the other, or both. (For instance some cloud providers will give you one for the front-end they control for free, and could use their own private CA to secure the connection from there to your back-end, so there are use cases where one can use Let's Encrypt but there might be easier options.)

  • As just suggested, include tutorials for specific providers and configurations. I don't know if this should be linking to external resources that have been vetted in some way, or writing our own, or if either of those options is sustainable over the long-run as there are a lot of cloud providers and they of course keep updating things and adding new features.

  • But in particular, I think the AWS "just give me a Wordpress server" uses Bitnami, and that's often caused confusion around here, so some specific instructions for Bitnami/Lightsail/Wordpress might be helpful.

  • And maybe this needs to be part of some bigger checklist/wizard/flowchart type thing, since "I want to host a server on my home ISP" and "I want to host a server on a major cloud provider" have some level of overlap but there may be different questions one wants to bring to the forefront first.

Just doing a bit of brainstorming; this post isn't as coherent or specific as some of my past ones in this thread I suspect.

3 Likes

That's a fact of life for thinkers - great ideas rarely develop in a flash of brilliance. Sometimes we have to muddle about until clarity bites us in the bum.

Perhaps a link to (moderated) forums with a stream for each supplier - sort of like the DD-WRT forums ??
AWS
Azure
Google
???
etc.

2 Likes

One thing I STRONGLY recommend for FAQ (and most other online docs) is to include a date as to when it worked / was current.

AND preferably an edit when it is superseded. It is so frustrating to follow an "official" guide only to find it was superseded some time ago.

3 Likes

What's the difference between a certificate issued by Let's Encrypt and a certificate issued by another CA?

Is one certificate stronger/faster/better than the other?

3 Likes

"These free Let's Encrypt certificates are probably less secure than those I've payed enormous amounts of money for, right? RIGHT?!?"

Or:

"Does Let's Encrypt offer insurance for their certificates? Why not?"

3 Likes

Well, another thing to put in the “When won't a Let's Encrypt certificate be suitable for me?” entry, is “My business needs a better support SLA than ‘post on community forums and hope some volunteer answers quickly and accurately’”. A good description of that with paid CAs you're paying for support rather than paying for anything different with validation or security might be useful.

3 Likes

I would be willing to argue that our community's support is often better than what a lot of paid companies offer. :muscle:

3 Likes

Sure, it's about a valuable as a tiger-repelling rock.

4 Likes

I certainly won't disagree with you on that point, I'm just saying that some companies will have "I can call tech support at 2 in the morning and get a human to answer the phone and work with me" as a requirement (whether that's what they actually need or not), and if that's a requirement for you then Let's Encrypt may not be the CA for you (or at least, you may want to establish a support contract with somebody else even if that somebody else is going to be directing you in how to use Let's Encrypt's services).

3 Likes
  • I'm working on testing my integration with Let's Encrypt; do you have a testing environment for me to use? (Though again, this one is a "FAQ" in the sense of "Questions that ought to be asked much more often than they are".)
3 Likes

I would advise something like:

  • LetsEncrypt and Certbot are not designed for ephemeral server instances. If you plan on repeatedly creating/replacing or scaling cloud servers, you should deploy solution(s) that preserve the Certificates.
3 Likes

This is probably the first thing that should appear in nearly every help guide/FAQ (screw alphabetical order for this :grinning:) If it were the first thing someone sees, it could save many of those "I've hit a limit" and "It fails and I don't know why" (because they've hit the limit).

3 Likes

Of course, if clients defaulted to using the staging environment, the problem would be avoided, or at least minimized--but I guess that ship has sailed.

2 Likes