jason @ he

Let's Encrypt

Preparing

Let's Encrypt requires a few preparations for it to work.

Install A Self-Signed Certificate

An attempt to install an LE certificate will be made if the current certificate is untrusted or is near its expiration. Install a self-signed certificate to make your site's certificate untrusted, and hence, kick off the Let's Encrypt process the following morning around 5am pacific time.

Managing Certs In admin.he.net

Log into https://admin.he.net and select the Manage Secure Certificates command.

The Manage Secure Certificates command in admin.he.net.

Generate a Certificate Signing Request (CSR) by filling out the form and pressing the generate button.

The form to fill out to generate a Certificate Signing Request.

The CSR will appear at the bottom of the page. Here is my CSR.

-----BEGIN CERTIFICATE REQUEST-----
MIIEuDCCAqACAQAwczELMAkGA1UEBhMCVVMxFDASBgNVBAMMC2V4YW1wbGUuY29t
MRAwDgYDVQQHDAdGcmVtb250MRQwEgYDVQQKDAtFeGFtcGxlIENTUjETMBEGA1UE
CAwKQ2FsaWZvcm5pYTERMA8GA1UECwwIRXhhbXBsZXMwggIiMA0GCSqGSIb3DQEB
AQUAA4ICDwAwggIKAoICAQDKrXLQwFZhlxTlVFHp8OBr0rfBpxTL3dBBLhNg0sxk
OZ/AHXOSKgHnbIDFp9oN6gDmaC/QjS2OFXqekuMEsaDYwiiNfqqWk4ybmf/O1kQz
oQrxs7YLyp/iyJ+5fdZfy16DYptPKzfVaWnzTVdl8i5A95Ij8HrB3hVLBjfdX2tn
48sve1875VdnDmAyUFCyYxUwuWv7zdYTXBE2knyVXWHr7snWmqeo0qtSOQIlWbuS
LBCp3yXQm2hglRCUXHavkZC22L/l0f1J1rarJbbeDKCD7fr2t1Rw7s75zSp25MFU
XwPZykH23dUN5lcy+Ca8RZ4+DDpvpGXPn1d7fG5wf3Zlqv6kc2ASJvFb4w5rqDum
vJKeAu5AhbDfjL3vxSdhGwfS+h3fcfKR7hSwabklG5wQsDbLc3MycXfMCHMXNfnl
Xp68fFTN2BJVHz8nJFkXpyvx91OOzOka5Yf+BnnYpKLvZMUUYFQoj9A4l551k5XU
XelCIUe7ECv/c44RVp7IC5is+RbdnwTrrCoh5HSsYvaGkDpIHBf4FQvsrvafV8nJ
HGvWZymBYDa8P5gEDEhvcWOrvWajb1DeQwSoudqTUX0HrVubE2SgVeBAtY6kttCx
RjmyShc6iIgB4AV5FDtGofvLfp5esvlnelighmxM3gkcw3l8svTrvebDScilwpzg
gQIDAQABoAAwDQYJKoZIhvcNAQELBQADggIBAEf5oYYekhNCUKtSP4I2ZbFjLiJO
QzNzR3dZ6naZfW9K3Xl3b2LneknVyE4++JOvi6TtQ+0vqXfdwvwjqxgQzm7K1JN9
I7KNlyb779gcH4M7OnWsv9PyAUGCC1tqeJloXxccs1pWL8UTPk18CaBNXWgN2+J7
4v5lZDQBnRcAZFWT9p7h2RuWXU69rglsiUSwqtlegP9o5EHPijz6FNH5Db5pIuPG
n1d6/xmaSwvGC79HVhIUzAV3dndMi5glEVsxzsgTXaGrdBN9YSqlw3Lka2HvSV1t
8QZkHM6P+WC9DV9GWjw9Q93+QClDKvPg4Bt19k/Ur4LzGtiS8DfMxVTdRzrXBPyb
2xLds3EZSFDb8MmpakdXW5AafOfYYLqVB9UK3qDJNvOT7jhegY9EttMxl9IO/jM2
OD9UVa+fXQe/IwSYt9ykBf+cYLUZobtsv6qTRXvxIIJLlm4a5eI195wYMP+E9hNA
pf0RT5nYhnzdvizWPtsxCkZNEu63ZmcxRAj9+c69AUR7/0XrJXyTdlbf+9X8vvIl
FFWu2bBGIosvMG5SvF6V7HosytBifvmGPGE1eBT8guZR3IisuLhUYVu75Vzg/990
dpq4GtnuzJ68FCGO9VyFd6b/6wxbsEPDvBVLUBu7dKIY2EV6oxJjDJwbMUDxfmMa
BHhmdb9fhHBeNA5U
-----END CERTIFICATE REQUEST-----

Go to the tab labeled "Step 2: Install Self-Signed Certificate" and press install now.

Install the self-signed certificate so that Let's Encrypt will attempt to generate and install a valid certificate the next morning around 5AM.

Copy the CSR to the Server

Let's Encrypt looks for a CSR in ~/.certs/. Go back to "Step 1" of manage secure certificates on admin.he.net. Copy the entire CSR including -----BEGIN CERTIFICATE REQUEST----- and -----END CERTIFICATE REQUEST----- and save it to a file called www.example.com.csr in ~/.certs/, where www.example.com is your domain. If the .certs folder doesn't exist, make it.

The domain name in the file name must have a subdomain. If it does not, add www. The CSR for this site was named blog.jschmedes.corp.he.net.csr. If it were for he.net the correct file would be www.he.net.csr with www as the subdomain.

The `ls` command shows the files that are in ~/.certs/, which is blog.jschmedes.corp.he.net.csr, the CSR for this domain. `cat` outputs its contents; the CSR generated in the first step.
An Important Note!

A CSR has a corresponding private key, which is created when the CSR is generated. The CSR in the ~/.certs/ folder must be the counterpart to the private key on the server. If at anytime during the process a new CSR is generated then that CSR must be placed in the ~/.certs/ folder. Otherwise the CSR won't match the private key and the certificate installation will fail with a MISMATCH error.

Check Access To /.well-known/

After it has been determined the site needs a new certificate and the appropriate certificate signing request has been found in ~/.certs/, Let's Encrypt will need to verify ownership of the domain by checking for a secret in <http://www.example.com/.well-known/>.

The /.well-known/ folder is described in RFC5785. It is a location to store meta-data about a website. URL rewriting and access control can interfere with access to /.well-known/, preventing applications that use it, like Let's Encrypt, from working.

Make sure that Let's Encrypt can access that part of your site by placing a file in ~/public_html/.well-known/ and trying to view that file.

For example, to test this site I made a TXT file with the contents "Hello World" and put it in ~/public_html/.well-known/hello-world.txt. Then I went to http://tools.jschmedes.corp.he.net/blog/.well-known/hello-world.txt. The website displayed "Hello World" so access to the .well-known folder isn't blocked or redirected.

http://tools.jschmedes.corp.he.net/blog/.well-known/hello-world.txt shows "Hello World" and not an error.

If instead of "Hello World" I saw an error page or a blank page then Let's Encrypt won't be able to reach it either and the certificate will not be installed.

More often than not an Apache rewrite rule in .htaccess is preventing access to .well-known. Adding this rule before all other rewrite rules will allow the test to pass:

RewriteRule ^.well-known/ - [L,NC]

The certificate will be valid for secondary domains as well, but if any of the secondary domains cannot be verified no certificate will be installed. So this step needs to be repeated for each of the secondary domains on the account to make sure their /.well-known/'s aren't blocked either.

An Important Note!

Secondary domains can cause the certificate installation to fail resulting in all domains not having a valid certificate. Always verify that secondary domains added to the account don't interfere with requests for /.well-known/.

Checking For Success

If all goes according to plan, after following the steps above the certificate will be installed the next morning around 5AM pacific time. Clear your browser cache and go to your website using https://. The certificate should be a new and valid Let's Encrypt certificate.

Renewal

The certificate will automatically renew itself about two weeks before expiring. Changing the domains on the account or accidentally redirecting requests for /.well-known/ can cause the certificate renewal to fail.

The first expiration or two should be monitored to make sure the certificate renewal happens. If an LE certificate is set to expire in less than a week, there may be something preventing it from renewing.

HTTPS:// Doesn't Show The Site

You might expect to see your website when using https://, but instead see a template about a website coming soon. Check out the article about the webroot at https://tools.jschmedes.corp.he.net/blog/articles/basic/the-server-20190204.html#webroot to learn ways to make your site available over https://.

Back to Article Listings
Glossary