I. Sane software

Default option for managing LE certificates is named "certbot". I had a look year ago when it was still called "letsencrypt" and it was such a cpanel-like-sprawling-mess supposed to do everything incl. webserver configuration. I bailed out and went on with startssl.

In meantime, alternatives appeared, ended up with acme-tiny. It is short python script that does one thing.. er .. two things - places the verification files at location where webserver can serve them, and gets the certificate from LE.

II. Preparation

OpenSSL commands to generate keys and CSR are notoriously known, but there's gotcha about alternative names. Whereby other CAs ignore alternative names (or their absence) in CRL, and always give you at least both example.com and www.example.com, LE adheres strictly to CSR. You won't get the www alias for your domain thrown in for free. All the names must be specified by config file like:

distinguished_name = req_distinguished_name
req_extensions = v3_req

countryName = TMSR
countryName_default = XY

[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names

DNS.1 = www.example.com
DNS.2 = example.com
DNS.3 = smtp.example.com

Name it openssl.conf and then generate CSR by:

openssl req -new -sha256 -key my_secret.key -config openssl.conf > example.csr

Then go on as acme-tiny docs say.

III. Autoupdating

Oh, I'll just throw in monthly cronjob to refresh the certificate, you say? Not so quickly. Things to worry about if it were The Production Server:

Certificate chain

The intermediate certificate, which should be refreshed occassionally, currently lives at certain URL. Emphasis on currently - this changed and will change.


"LE can revoke your certificate, so be sure and check twice a day". Doh. You can't do the "checking" by running acme-tiny, because it won't check, but always generates new cert and you will run into rate limits. Use OCSP.