Let’s Encrypt is a new certificate authority that provides absolutely free secure certificates to help get to 100% HTTPS on the Internet. DreamHost has integrated Let’s Encrypt support into our panel for hosted services, but if you want to set up automatically-renewing certificates for domains you host on a DreamHost Cloud server instance, you’ll need to do a little bit of manual installation. But the good news is, it doesn’t take long. And once you finish the setup, you should never have to worry about renewing a certificate ever again!
Get the Code
First off, you’ll SSH to your DreamHost Cloud server instance. The principles are the same for any distribution of Linux you’re running, but make sure you have the git package installed so that you can clone the letsencrypt repository, like so:
git clone git://github.com/letsencrypt/letsencrypt
Get Your First Certificate
Before you get a certificate, you’ll need to make sure that your domain is actually pointing at your cloud instance’s IP address, and that your web server is configured to respond to requests for your domain name. Let’s Encrypt performs checks to make sure that you control domain names that you request certificates for.
Let’s say that you have domain.com configured with a DNS A record pointing at the IP address for your instance, and you have Apache already configured properly to respond to requests for domain.com. If you’re not familiar with configuring Apache web server you can read the guides for Debian/Ubuntu and CentOS/Fedora on DreamHost Knowledge Base.
The sample snippets below assume that the web server is configured to serve files for domain.com from the location /srv/domain.com on your instance. Make sure to update that location to match your domain’s document root!
The very handy Apache plugin for letsencrypt-auto makes things much easier on a Debian and Ubuntu instance:
./letsencrypt-auto --apache -d domain.com
This will prompt you for some information including your email address. Fill it in with valid information and you should get a shiny new certificate! Apache users shouldn’t even need to restart their web server or modify a configuration file, as the apache plugin for letsencrypt-auto handles that for you.
Adding a Subdomain to an Existing Certificate
If you also need a certificate for a subdomain, don’t worry! You can add a new subdomain to your existing cert at any time, by simply calling letsencrypt-auto again. Again the letsencrypt-auto plugin makes life easy:
./letsencrypt-auto --apache -d domain.com -d sub.domain.com
This is, of course, assuming that you have a different document root for the files for your subdomain. You can omit the additional –webroot-path argument if the document root is the same for the top-level domain and the subdomain. Always remember to specify the –webroot-path before each -d argument, because the -d argument uses the most-recently-specified webroot-path variable supplied.
Now, the best part about using Let’s Encrypt (well, aside from the free certificates): you can have your system automatically renew all of the certificates for you. I wrote a small shell script I called /usr/local/bin/update_certs which looks like this:
systemctl reload apache.service
Using cron, I have this scheduled like so:
30 0 * 0 * /usr/local/bin/update_certs
And now, my system attempts to renew all of my certificates once a week. If there are no certificates in danger of expiring soon, nothing bad happens, but if they would otherwise expire, then they get renewed and I don’t have to think about it.
An expanded version of this and many other tutorials are available on DreamHost Cloud Knowledge Base. Check it out if you want to setup Let’s Encrypt with nginx or learn how to automate server configuration with Ansible and more.
DreamHost offers award-winning hosting. Find out how we can help your website today!