Yet another simple Let's Encrypt client.
Branch: master
Clone or download
Pull request Compare This branch is 12 commits ahead, 84 commits behind diafygi:master.
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.

Let's Encrypt

Prepare credentials

Before we can do anything, generate an account key first if you don't have one.

$ openssl genrsa -out account.key 4096

Generate a domain key and CSR.

$ openssl genrsa -out domain.key 4096
$ openssl req -key domain.key -new -sha256 -subj "/" -out domain.csr

Alternatively, if you need a SAN certificate.

$ openssl req -key domain.key -new -sha256 -subj "/" -out domain.csr \
    -reqexts SAN \
    -config <(cat /path/to/openssl.cnf <(printf "[SAN]\,"))

You can use the same CSR across multiple renewals. But you can't use your account private key as your domain private key!

Prepare your web server

Let's Encrypt now requires hosting some files on the domains you requested to prove that you control the domain. Those files should be served at /.well-known/acme-challenge/ URL path, on port 80.

Create a dedicate directory.

$ mkdir -p /srv/letsencrypt/challenges/

Serve challenges from the above directory.

server {
    listen 80;

    location /.well-known/acme-challenge/ {
        alias /srv/letsencrypt/challenges/;
        try_files $uri =404;

Get a certificate

Run letsencrypt on your server with proper permissions to write to the above folder and read your private account key and CSR.

$ ./letsencrypt --account-key account.key --email --challenge-dir /srv/letsencrypt/challenges/ domain.csr > domain.crt

Install the certificate

Bundle domain.crt with the Let’s Encrypt Authority X3 intermediate certificate.

$ curl -o intermediate.crt
$ cat domain.crt intermediate.crt > chained.crt

Then enable SSL.

server {
    listen 443 ssl http2;

    ssl_certificate /path/to/chained.crt;
    ssl_certificate_key /path/to/domain.key;

server {
    listen 80;

    location /.well-known/acme-challenge/ {
        alias /srv/letsencrypt/challenges/;
        try_files $uri =404;

Setup an auto-renew crontab job

Let's Encrypt certificates only last for 90 days. It is recommended to renew certificates every 60 days.

Create a


# request certificate
/path/to/letsencrypt --account-key /path/to/account.key --email --challenge-dir /srv/letsencrypt/challenges/ /path/to/domain.csr > /path/to/domain.crt
# make chain
curl -o /path/to/intermediate.crt
cat /path/to/domain.crt /path/to/intermediate.crt > /path/to/chained.crt
# reload nginx
sudo service nginx reload

Then add it to crontab.

0 0 1 */2 * /path/to/