3

The Let’s Encrypt management software will:

  • Automatically prove to the Let’s Encrypt CA that you control the website
  • Obtain a browser-trusted certificate and set it up on your web server
  • Keep track of when your certificate is going to expire, and automatically renew it
  • Help you revoke the certificate if that ever becomes necessary.

That's all great, but let's assume that I'm running a custom webserver or arcane configuration that the management tool doesn't understand. Will I still be able to get a certificate from Let's Encrypt by going through the motions manually? Without reverse engineering, that is, because otherwise the answer would be 'yes, of course'.

Bart van Heukelom
  • 326
  • 3
  • 9
  • I don't understand your question. Can you clarify "going through the motions manually"? Are you assuming that you can't install the Let's Encrypt management package? What do you mean by "that the management tool doesn't understand"? – RoraΖ Jun 11 '15 at 11:35
  • 1
    Related/Duplicate: [How does “Let's Encrypt” provide authenticity?](https://security.stackexchange.com/questions/77536/how-does-lets-encrypt-provide-authenticity) – StackzOfZtuff Jun 11 '15 at 11:55
  • @raz The tool will among other things automatically make a special file available on the web server. It can't do that if it doesn't understand the web server I'm running, so I'll have to do that myself, then tell the CA I've done it. – Bart van Heukelom Jun 11 '15 at 12:03
  • 1
    @BartvanHeukelom It sounds like you've answered your own question. As long as the special file is at the correct URI when the CA checks, you win. The CA doesn't care how it got there. – Mike Ounsworth Jun 11 '15 at 12:44
  • We're not customer support for Let's Encrypt. You should ask them directly, you'd be more likely to obtain a correct and authoritative reply. – Steve Dodier-Lazaro Jun 17 '15 at 00:41

1 Answers1

3

Yes, you can use LetsEncrypt with complex configurations that the command-line tool cannot modify. There are two ways to do so:

  1. The hard way: Write your own client that follows the ACME specification and does whatever it is that you want to do with the certificates.

  2. The easy way: Use the LetsEncrypt client in "Standalone Authenticator" mode. In this mode, the verification will be done using a standalone webserver that runs inside the LetsEncrypt tool and the certificate will be saved in a folder for you to use as you see fit.

    The Quick Start has an example of using the command-line tool (via Docker) in this standalone mode, which saves the certificate into /etc/letsencrypt/certs.

    sudo docker run -it --rm -p 443:443 --name letsencrypt \
              -v "/etc/letsencrypt:/etc/letsencrypt" \
              -v "/var/lib/letsencrypt:/var/lib/letsencrypt" \
              quay.io/letsencrypt/lets-encrypt-preview:latest

    I extracted the command that is run from that Docker image so that you can run it outside of Docker on a machine that has the client installed directly:

    letsencrypt --text

    Yes, that should be all it takes! (In fact, the --text part probably isn't required either.)

Moshe Katz
  • 1,331
  • 1
  • 11
  • 17