interwebs security web server

Let’s Encrypt in manual mode

SSL and TLS are cryptographic protocols designed to provide secure conenction between web client and web server. This security is achieved by installing SSL/TLS certificate on a web server. Certificate contains the public key and additional information such as issuer, what the cert is supposed to be used for, and other types of metadata. Certificate is signed by a certificate authority (CA) using CA’s private key. This verifies the authenticity of the certificate. Secure connection between client and server is established over HTTPS protocol.

Let’s Encrypt is a CA. In order to get a certificate for your website’s domain from Let’s Encrypt, you have to demonstrate control over the domain. If you don’t have shell access (SSH access) to your web host, you can use Certbot software on your own computer in so called manual mode. In manual mode, you upload a specific file to your website to prove your control. Certbot will then retrieve a cert that you can upload to your hosting provider. Example:

certbot certonly --manual --preferred-challenges=http --email --agree-tos -d

When you run command above, Certbot will ask you to put specific file on your website to prove ownership. After it is verified you will get following files:

  • privkey.pem which is the “key” file
  • fullchain.pem which is the “crt” file
  • cert.pem which contains only certificfate and is coupled with chain.pem to as fullchain.pem
  • chain.pem which is the intermediary signed authority, signed by the root authority – which is what all browsers are guaranteed to have in their pre-built cache.

You can also build bundle.pem by issuing

cat fullchain.pem privkey.pem > bundle.pem

To decode your cert you can type

openssl x509 -in file.pem -text -noout

or use tool such Online Decoder.

Now you need to send those files to your website administrator to make HTTPS work. Downside of this method is that it is time-consuming and you will need to repeat it several times per year as your cert expires every 90 days.