Categories
interwebs security web server

Let’s Encrypt in manual mode

SSL and TLS are cryptographic protocols designed to provide secure conenction between web client and web server. This security is achieved by installing SSL/TLS certificate on a web server. Certificate contains the public key and additional information such as issuer, what the cert is supposed to be used for, and other types of metadata. Certificate is signed by a certificate authority (CA) using CA’s private key. This verifies the authenticity of the certificate. Secure connection between client and server is established over HTTPS protocol.

Let’s Encrypt is a CA. In order to get a certificate for your website’s domain from Let’s Encrypt, you have to demonstrate control over the domain. If you don’t have shell access (SSH access) to your web host, you can use Certbot software on your own computer in so called manual mode. In manual mode, you upload a specific file to your website to prove your control. Certbot will then retrieve a cert that you can upload to your hosting provider. Example:

certbot certonly --manual --preferred-challenges=http --email admin@domain.com --agree-tos -d domain.com

When you run command above, Certbot will ask you to put specific file on your website to prove ownership. After it is verified you will get your private key (privkey.pem) and chain/bundle (fullchain.pem). Chain files contains your certificate. To decode your cert you can type

openssl x509 -in certificate.crt -text -noout

or use tool such Online Decoder.

Now you need to send those files to your website administrator to make HTTPS work. Downside of this method is that it is time-consuming and you will need to repeat it several times per year as your cert expires every 90 days.

Leave a Reply

Your email address will not be published. Required fields are marked *