Skip to content

Instantly share code, notes, and snippets.

@cpburnz
Last active July 18, 2022 22:26
Show Gist options
  • Save cpburnz/073ed76f6ba19636cfedbc6a23c14656 to your computer and use it in GitHub Desktop.
Save cpburnz/073ed76f6ba19636cfedbc6a23c14656 to your computer and use it in GitHub Desktop.
Manually Request Let's Encrypt TLS Certificate with certbot

Manually Request Let's Encrypt TLS Certificate with certbot

A TLS certificate can be manually requested from Let's Encrypt using certbot. In order to successfully acquire the certificate you will need to have a domain name properly set up through DNS, and you need to be able to make a file available from an arbitrary URL under your domain.

TL;DR

Run the following interactive command and follow any instructions:

sudo certbot certonly --manual --agree-tos -m [email protected] -d www.example.com 

Where [email protected] is your email address and www.example.com is the domain you're requesting a certificate for.

Instructions

Run the following interactive command to initiate the request for your domain:

sudo certbot certonly --manual -d www.example.com

This will output the following:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel):

Type your email address, and press Enter to continue:

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel:

Type A to agree to the terms of service, and press Enter to continue:

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o:

Type N to decline being added to the mailing list, and press Enter to continue:

Obtaining a new certificate
Performing the following challenges:
http-01 challenge for www.example.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.

Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o:

Type Y to agree, and press Enter to continue:

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Create a file containing just this data:

Cz-XoBfCDRl9AcXURW0UBtc3E4PKU3btaVNbyd1dagm.CEex4cqUNrocDQbylppmTsLB87fbSGpRIulW94byJgx

And make it available on your web server at this URL:

http://www.example.com/.well-known/acme-challenge/Cz-XoBfCDRl9AcXURW0UBtc3E4PKU3btaVNbyd1dagm

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue

You are instructed to create a file with a seemingly random name and contents. These random values will vary every time. Write the specified file with contents, and make it available at the indicated URL. Once the file is in place, press Enter to continue:

Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/www.example.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/www.example.com/privkey.pem
   Your cert will expire on 2021-10-22. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Your TLS certificate is now signed. Note the expiration date. Let's Encrypt currently issues certificates for 90 days. The private key will be located at /etc/letsencrypt/live/www.example.com/privkey.pem, and the signed certificate along with any intermediaries will be located at /etc/letsencrypt/live/www.example.com/fullchain.pem.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment