Wanna Try Letscrypt on my Server

Hello,

I am interested of installing letsencrypt certificate on my website and make it https but, I would like to ask for some help with some questions I have that are the following:

  1. Is there a stepy by step tutorial to install this certificate on server?

  2. I been reading on community and it seems certificates have a life of 90 days what happens when this expires how can I set up a cron job on server or something to renew it automatically?

  3. Anything else I should be aware before installing certificate?

  4. My server is a CENTOS 6.7 x86_64 using Apache is this SO valid to use this? Since I seen OS and Browsers you accept and it seems for Linux is only Debian and Ubuntu, is this for servers too? CentOS is not a valid one?

Thanks,

Codeman

  1. The documentation for the official client is here https://letsencrypt.readthedocs.org/en/latest/

  2. The official client now has a renew option that will renew when the cert has less than 30 days remaining. You can test this with the --dry-run flag

  3. The current rate limit is 5 certs per domain per 7 days. Do testing with the --staging flag 1st to avoid this (those certs will not be trusted)

  4. That list is the browsers that include the root cert IndenTrust used to cross sign the intermediary certs. The official client runs on anything with python installed.

Hello Cool110,

First of all thanks for the fast reply, I am sorry to sound like a rookie but, for me is the first time I am installing a SSL Certificate on my server / domain so, I even the userguide and documentation seem pretty complete is there any step by step video tutorial showing it how to set it up? or how to set it up on cpanel also?

Also one more question

Also about certificates just some more questions that are the following:

a) What is the Issuance Time?
b) Is there any browser that do not recognize ssl certificates?
c) What is the Underwritten warranty?
d) Does it has Strong SGC Security? and IP Address Support?
e)Does it Activates green address bar?
f) Is it Mobile Device Compatibility?
g) Does it Activates Browser Padlock?
h) Does it works on all shopping cart software? and does it works on works on both www and non-www domains?

Thanks again for the help!

1 Like

a) What is the Issuance Time?

I assume you mean how long does it take to obtain and install a certificate. It does depend slightly on the method used ( http / dns ) and on the number of domains on a certificate. For me I'd say it's typically under 1 minute.

b) Is there any browser that do not recognize ssl certificates?

Generally all browsers recognise LE certificates ( I assume the questions was about LE certs not just ssl certs in general) - see FAQs

c) What is the Underwritten warranty?

as far as I'm aware there isn't an underwritten warranty. It sounds as if you want a free certificate plus them to pay you if you mess up something on the install !

d) Does it has Strong SGC Security? and IP Address Support?

Server-Gated Cryptography (SGC), is a defunct mechanism that was used to step up from 40-bit or 56-bit to 128-bit cipher suites with SSL. I wouldn't suggest using anything so low in security.

Certificates are not issued for IP addresses, only domain names.

e)Does it Activates green address bar?

Yes the padlock goes green (assuming you have a browser that does so of course) if you have the rest of the configuration correct

f) Is it Mobile Device Compatibility?

I'm not sure how this question is different to Browser compatibility. The general answer is Yes ( again see the FAQ's and other documentation for the detail of some of the older browsers on different devices)

g) Does it Activates Browser Padlock?

I'm not sure what you mean on this different to your question e) - yes you get a padlock, that's green if you have the rest of your configuration correct. Have a look at the certificate on https://serverco.com/ if you want to look at the browser response to a typical user installed certificate.

h) Does it works on all shopping cart software? and does it works on works on both www and non-www domains?

The first part here is more a question for shopping carts than the certificate. If the shoppinng cart works with standard SSL certificates then Yes it will work with a LetsEncrypt certificate. And yes, if you configure it for both www and non-www traffic it will work for both.

If you want an independent assessment of an SSL installed on one of my domains to my standard configs, see SSL Server Test (Powered by Qualys SSL Labs)

I point you to this topics Which browsers and operating systems support Let's Encrypt and Let's Encrypt intermediate not accepted by Chrome and IE8 on Windows XP · Issue #1660 · certbot/certbot · GitHub

In summary, It currently do not work with IE and chrome on windows XP cause the name-constrain on the cross-signed certificate made by IdenTrust is confusing windows XP.

If by this you mean the green padlock, as @serverco understands, then he has already answered your question. If instead you mean the green bar with the name of the entity to which the certificate was issued (as seen with, e.g., paypal.com), no, that's something you'll only see with EV certificates, which LetsEncrypt doesn't (and won't, AFAIK) issue.

It works on whatever hostnames you tell it to use, that you can prove you own. If somedomain.tld and www.somedomain.tld both belong to you, resolve to the same host, and you want them to be on the same certificate, that's easy to do.

1 Like

@serverco

Thanks a lot for answering my questions, is exactly what I wanted to know, just one question on question “d” since you say SGC is a denfuct mechanism what is used by letscrypt? just to know

Also is there any video tutorials to letscrypt? Since is my first time and I don’t really understand how to install this. My server is Apache, Cpanel and CENTOS 6.7

Thanks again

@Nit Awesome info man, just one thing is there any good video tutorial to help me install letscrypt on my domain?

Thanks!

@danb35

Yes this is exactly what I mean, so it will show like on this site enter link description here that shows the lock right?

Also how you redirected all http to https is this done on htaccess?

Thanks!

Yes, you should see the lock. The redirect from http to https should happen in your web server’s config file, but .htaccess might be able to do it as well.

1 Like

Hi serverco

I am trying to get letsencrypt up on my site but I have been getting an error when I try to create my certs. I have been following the step by step that lets encrypt provides but when I run:
./letsencrypt-auto --help
I cant seem to make it to the part where I input my sites information.

This is the error I am getting:
ldconfig deferred processing now taking place
Processing triggers for python-support …
Checking for new version…
Creating virtual environment…
Traceback (most recent call last):
File “/home/chadd/.local/share/letsencrypt/lib/python2.7/site.py”, line 67, in
import os
File “/home/chadd/.local/share/letsencrypt/lib/python2.7/os.py”, line 49, in
import posixpath as path
File “/home/chadd/.local/share/letsencrypt/lib/python2.7/posixpath.py”, line 17, in
import warnings
ImportError: No module named warnings

I would very much appreciate your help in this. We are using an nginx server and any help would be hugely appreciated

what operating system and version are you on ?

I am using linux and ubunto

There looks to be an issue between the python virtualenv on your system, and the one used by the official letsencrypt client. As you haven’t obtained any certificates yet I’d suggest removing the .local/share/letsencrypt folder, and letsencrypt and try reinstalling.

I don’t personally use the official LE client, so someone else will need to help with the finer details there I’m afraid.

Hello,

I managed to install letscrypt on my server and seems to be working the only thing that I am missing is the cronjob so it renews certificate every 60 days for what I read this is the command:

[quote]
0 0 */60 * * /root/.local/share/letsencrypt/bin/letsencrypt --text certonly --renew-by-default --webroot --webroot-path /home/cPanelUser/public_html/ -d domain.com -d www.domain.com; /root/installssl.pl domain.com[/quote]

is this correct? and I should replace cpanel path to my path to public_html and change domain.com to my domain correct?

Please confirm if this is correct thanks!

I seem to manage to install cronjob to renew certificate but, for some reason is renewing it every day instado of every 60 days, is that a problem?

Thanks!

In short, yes.

There is a limit of 5 certs per 7 days, so you need to correct your ( and remove the renew-by-default) otherwise you will soon end up being blocked and not able to renew.

Hey serverco,

then how I do this?

Because I don’t understand why this happens since I have set up cronjob how is shown on this tutorial

https://forums.cpanel.net/threads/how-to-installing-ssl-from-lets-encrypt.513621/

This is cronjob set up on server:

0 0 */60 * * /root/.local/share/letsencrypt/bin/letsencrypt --text
certonly --renew-by-default --webroot --webroot-path
/home/myuser/public_html/ $

Also what you mean with (remove the renew-by-default) can you please let me know how to do this? my server is apache and CentOS 6.x

Thanks

I don’t use the official client, so hopefully someone else can give you a detailed answer. I can just see several thing wrong with your cron there though.

looking at this thread on renewal you should be able to just do a “letsencrypt renew” if you have the latest version of the official letsencrypt client.

Looking at what you have passed you have used the argument “–renew-by-default” which will renew irrespective of how long the current certificate has left. You need to remove that parameter from your command.

The third variable of the cron ( *60 in your case ) - is the day of the month. Since there are less than 31 days in a month, the value you have there is invalid. Hence it’s running at midnight every day and getting a new cert.

Hello, is working perfectly it seems I was mistaking and the update of certificate was becahse cronjob run for the first time.

I have to say I love it and works like a charm.

Just one question there is any expiration date on the certificates or this will be renewing every 60 days forever?

Thanks