This script is used to run the required steps to let letsencrypt sign a server certificate for certain domains.

For the most basic workflow an account key must be created and the private key of the server must be available. The following example is for a nginx server, because it is the easiest to setup.

letsencrypt needs an account key for verification of domains and requesting the signed certificate. If such a key already exists and is registered, the following steps can be skipped.

create an account key:

# umask 0177
# openssl genrsa -out account.key 4096
# umask 0022

register the account key to the letsencrypt service

# ./letsencrypt.sh register -a account.key -e [email protected]

To verify a domain the letsencrypt service gives you a challenge, to which a response must be stored under this domain.

The response is a simple concatenation of a challenge token, a dot ".", and the thumbprint of the account with which the verification request was made. This must be stored at a well known location.

The thumbprint of the private account key can be obtained with this command:

# ./letsencrypt.sh thumbprint -a account.key

With this thumbprint nginx can be configured to create a valid response dynamically. The following configuration must be added to the server section of each domain to be validated:

location ~ "^/\.well-known/acme-challenge/([-_a-zA-Z0-9]*)$" {
    default_type text/plain;
    return 200 "$1.ACCOUNT_THUMBPRINT";
}

The string ACCOUNT_THUMBPRINT in the return statement must be replaced by the actual thumbprint of the account key. Please note that the verification service of letsencrypt asks for the response over a HTTP and not over a HTTPS connection. Do not forget to reload the configuration.

When every domain for which the certificate should be used is setup, the signing of the certificate can be requested:

# ./letsencrypt.sh sign -a account.key -k server.key -c server.pem www.example.org www1.example.org example.org

If the script runs successfully the signed certificate is stored in the file server.pem and can be used with the server. Please note that the file only contains the signed server certificate and not the complete chain, which might be needed by some servers.

This is done like the first signing request:

# ./letsencrypt.sh sign -a account.key -k server.key -c server.pem www.example.org www1.example.org example.org

This is done with the same account key the certificate was originally signed:

# ./letsencrypt.sh revoke -a account.key -c server.pem

Alternatively, it is possible to revoke the certificate with its server key:

# ./letsencrypt.sh revoke -k server.key -c server.pem

You may need to use the -P option together with a custom script to set up the response to the challenge from letsencrypt. This might be because you want to sign the certificate from a different server than the one that runs your web site or your DNS, or your DNS is managed externally and you need to use a specific API. Basic example scripts provided by other users are available in contrib/, for example contrib/push-ionos-dns.sh. These may be of quite varying quality but should help you get started.