How to setup https with Let’s Enscrypt

Warning : the installation of a SSL certificate can generate a working https at the end, but with very annoying intermittent issues such as broken SSL certificate, corrupted SSLv3, SSL certificate not valid, … on your browser. By consequent you will have to remove it, and the urls will be broken. So try it first on a test server or VPS to master the setup.

First, update and upgrade your system :

sudo apt-get update && sudo apt-get upgrade

Then install git :

sudo apt-get install git

Get Let’s Encrypt, the free SSL certificate :

sudo git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt

Go in the Let’s Encrypt folder :

cd /opt/letsencrypt

Create the SSL certificate :

sudo -H ./letsencrypt-auto certonly --standalone -d example.com -d www.example.com
Enter email address (used for urgent notices and lost key recovery)

Enter your email address.

Agree to the Terms of Service.

If it worked well, you should get this message :

IMPORTANT NOTES:
- If you lose your account credentials, you can recover them through
  e-mails sent to somebody@example.com.
- Congratulations! Your certificate and chain have been saved at
  /etc/letsencrypt/live/example.com/fullchain.pem. Your
  cert will expire on 2016-03-31. To obtain a new version of the
  certificate in the future, simply run Let's Encrypt again.
- Your account credentials have been saved in your Let's Encrypt
  configuration directory at /etc/letsencrypt. You should make a
  secure backup of this folder now. This configuration directory will
  also contain certificates and private keys obtained by Let's
  Encrypt, so making regular backups of this folder is ideal.
- If you like Let's Encrypt, please consider supporting our work by:

  Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
  Donating to EFF:                    https://eff.org/donate-le

List the Let’s Encrypt directory structure :

sudo ls /etc/letsencrypt/live
sudo ls /etc/letsencrypt/live/example.com

You should get this output :

cert.pem
chain.pem
fullchain.pem
privkey.pem

Check the full chain status :

sudo stat /etc/letsencrypt/live/example.com/fullchain.pem

You should have this result :

File: ‘live/example.com/cert.pem’ -> ‘../../archive/example.com/cert1.pem’

Renew the SSL certificate :

cd /opt/letsencrypt
sudo -H ./letsencrypt-auto certonly --standalone --renew-by-default -d example.com -d www.example.com

After a while, you will get this message :

IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
  /etc/letsencrypt/live/example.com/fullchain.pem. Your
  cert will expire on 2016-03-31. To obtain a new version of the
  certificate in the future, simply run Let's Encrypt again.
- If you like Let's Encrypt, please consider supporting our work by:

  Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
  Donating to EFF:                    https://eff.org/donate-le

Automatically renew the SSL certificate by adding a cron job in crontab :

echo '@monthly root /opt/letsencrypt/letsencrypt-auto certonly --standalone --renew-by-default -d example.com -d www.example.com >> /var/log/letsencrypt/letsencrypt-auto-update.log' | sudo tee --append /etc/crontab

You will have then to set Apache (defaul-ssl.conf and example.com.conf) or Nginx.