Let’s Encrypt (LE) is a Certificate Authority that allows you to generate SSL certificates for free. Current limitations:
- Expires after 3 months
- No wildcard support for subdomains
The reason LE limits the expiration time to 3 months is to encourage the frequent cycling of certificates through automation.
DNSimple’s Simone Carletti wrote a small program that allows you to easily generate free SSL certificates using the ACME protocol, along with the DNSimple API. The program is natively compiled and doesn’t require a runtime like Ruby, Python or Java to be present on your machine.
I’ve forked his program and added the ability to specify the
--out PATH option, allowing you to optionally specify an additional path to write the full chain and private key to (easier for automation). We’ll be using the fork for this guide.
You’ll need the following:
- DNSimple account
- A domain managed by DNSimple
- Linux server (32-bit or 64-bit)
For the purpose of this guide I’ll be using Ubuntu 14.04 along with the NGINX web server, but you can use whatever you’re working with.
1 2 3 4 wget https://github.com/mrrooijen/letsencrypt-dnsimple/releases/download/v0.0.0/letsencrypt-dnsimple-amd64.tar.gz tar xvzf letsencrypt-dnsimple-amd64.tar.gz mv ./letsencrypt-dnsimple /usr/local/bin/ rm letsencrypt-dnsimple-amd64.tar.gz
Create a new file called
run-letsencrypt-dnsimple with the following contents, and place it wherever you want. I’ll place it in
1 2 3 4 5 6 7 8 9 10 11 #! /bin/sh /usr/local/bin/letsencrypt-dnsimple \ -api-key 1234567890 \ -user email@example.com \ -email firstname.lastname@example.org \ -out /etc/nginx/ssl \ -url https://acme-v01.api.letsencrypt.org/ \ example.com,www.example.com service nginx reload
|API_KEY||Your DNSimple API (v1) key|
|USER||Your DNSimple email address|
|Used by LE. You can set this to the same value as -user.|
|URL||The LE API URL. Use https://acme-v01.api.letsencrypt.org/ for production runs. Omit this option for dry runs.|
|OUT||Optionally to specify where you want the two generated files to be written, for example
|ARGV||Specify a list of domains you want to use the certificate with, separated by commas.|
Once you’re finished configuring the shell script, make it executable.
1 chmod a+x /usr/local/bin/run-letsencrypt-dnsimple
First, perform a dry run to see if the script works. Omit the
-url option in your script, then execute the script
Once you’ve confirmed that it works, add the
-url option back with
https://acme-v01.api.letsencrypt.org/. Now add a crontab entry:
1 crontab -e
In the crontab, add the following:
1 0 0 1 * * /usr/local/bin/run-letsencrypt-dnsimple
Now your system will request a new
privkey.pem on the first day of every month, overriding the
privkey.pem of the previous month, and reloads the nginx configuration to apply the new SSL configuration.
-out option was set to
/etc/nginx/ssl, you’ll want to add the following entries to your nginx configuration:
1 2 ssl_certificate /etc/nginx/ssl/fullchain.pem; ssl_certificate_key /etc/nginx/ssl/privkey.pem;
Now you should be good to go. Unlimited, automated, free SSL certificates, cycled on a monthly basis.