Getting a Let's Encrypt certificate using Certbot.

How to get your Let’s Encrypt certificates for 2021

Until mid-2020 or so, zerossl.com was my personal go-to for generating certificates using the web. Sporting an easy UI, it allowed all of us in the free Web to create a SSL certificate for free for our web apps.

As it stands, those days are now gone, at least via zerossl.com, at least for me.

So, what’s next then?

How I create a Let’s Encrypt certificate in 2021

Assuming you’re on Windows 10,install CERTBOT from Certbot – Windows Other (eff.org).

Since “certbot must be run on a shell with administrative rights“, open your start menu and start typing “cmd“. Select “Run as administrator“.

In the command prompt app, enter “certbot certonly --manual“.

The first time around, you’ll need to go through some minor setup and red tape. You’ll need to go through the next 3 steps immediately below only the first time you run Certbot.

1 – Accept or decline future email reminders

I politely answered with my email address to the first “Enter email address (used for urgent renewal and security notices) (Enter 'c' to cancel):” question, since I find quite handy the non-obtrusive reminder Let’s Encrypt sends me whenever one of my certificates is about to expire.

Then comes the second point of order, which I had to “(A)gree” with, since “(C)ancel“ling reading and agreeing to Let’s Encrypt’s Terms of Service results in going home without an SSL certificate.

2 – Agree to the license (or don’t)

Therefore, press “A” when you see this and agree, if you agree:

Please read the Terms of Service at https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must agree in order to register with the ACME server at https://acme-v02.api.letsencrypt.org/directory

(A)gree/(C)ancel: A

3 – Don’t share your email address with EFF (or do)

Whatever you prefer, but I said no to the next bit:

Would you be willing, once your first certificate is successfully issued, to share your email address with the Electronic Frontier Foundation, a founding partner of the Let's Encrypt project and the non-profit organization that develops Certbot? We'd like to send you email about our work encrypting the web, EFF news, campaigns, and ways to support digital freedom.

(Y)es/(N)o: N

4 – Enter your domain name(s)

As mentioned, the previous steps are only necessary upon first run. Next up is the first “true” step, to which I naturally answered with my domain, and the www.-prefixed version of it:

Please enter in your domain name(s) (comma and/or space separated) (Enter 'c' to cancel): www.barbez.eu,barbez.eu

If all is well, you’ll get:

Obtaining a new certificate
Performing the following challenges:
http-01 challenge for barbez.eu
http-01 challenge for www.barbez.eu

5 – Agree or decline to IP logging

I answered ‘Y’ to the next question:

NOTE: The IP of this machine will be publicly logged as having requested this certificate. If you're running certbot in manual mode on a machine that is not your server, please ensure you're okay with that.

Are you OK with your IP being logged?
(Y)es/(N)o: Y

Not sure what happens when choose the other option – that could be up to you to find out.

6 – Establishing trust, a.k.a. the main part

It is imperative to be precise during this step.

To ensure you are the owner of the domain(s) you’re applying to get SSL certificates for, you’ll need to create as many files as the number of domains given under step “4 – Enter your domain name(s)”. In my case, I did this twice:

Create a file containing just this data: ysGvkxI_GBHgqXXXXXXXXXXXXXXBeNa6MALObvsyRsAQ
And make it available on your web server at this URL:
http://barbez.eu/.well-known/acme-challenge/ysGvXXXXXXXXXXXXXXXXfpDRy4

Press Enter to Continue

(This must be set up in addition to the previous challenges; do not remove, replace, or undo the previous challenge tasks yet.)

At this point, you’ll need to open Windows’ Notepad, and copy e.g. ‘ysGvkxI_GBHgqXXXXXXXXXXXXXXBeNa6MALObvsyRsAQ‘ (whatever is the value presented in your case) into a new file, and name that fileysGvXXXXXXXXXXXXXXXXfpDRy4‘ (or whatever is the value presented in your case).

Note this file cannot contain an extension, so e.g. this won’t work: ysGvXXXXXXXXXXXXXXXXfpDRy4.txt.

Each time you have copied the contents to the file, and have saved the file, you need to upload the file to your web server or web host.

While doing so, ensure your newly created file(s) is/are available. Copy the link to your browser, and check if you see the contents of you copied in earlier. If not, allow browsing to files without extension, and disable any HTTP to HTTPS redirects you may have configured. Whatever you do, don’t press ENTER until you’ve verified this.

In case of trouble, check your .htaccess in your publichtml folder (for most Linux-based hosting environments via e.g. cPanel file browser). Or, in web.config in ASP.NET apps, or some apps hosted in a Microsoft Azure Web App resource (again, depending on its configuration). But that’s out of scope of the actual creation of an SSL certificate.

7 – You’re done! Almost.

If you can see your file in Chrome or Firefox, you can now press ENTER. If all went well, you’ll get:

Waiting for verification…
Cleaning up challenges

IMPORTANT NOTES:
Congratulations! Your certificate and chain have been saved at:
C:\Certbot\live\www.barbez.eu\fullchain.pem


Your key file has been saved at:
C:\Certbot\live\www.barbez.eu\privkey.pem

Your cert will expire on 2021-03-02. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew all of your certificates, run "certbot renew"
Your account credentials have been saved in your Certbot configuration directory at C:\Certbot. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal.
If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

Yes, as it says, congratulations! You can now go to the folder from this final output (in my case: C:\Certbot\live\www.barbez.eu\) and open all the files in Notepad.

From here, you can start copy-pasting the certificates from Notepad and into the private/public key stores provided by e.g. cPanel.

Inspiration: User Guide — Certbot 1.11.0.dev0 documentation (eff.org)

2 thoughts on “How to get your Let’s Encrypt certificates for 2021”

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.