Getting a Let's Encrypt certificate using Certbot.

How to get your Let’s Encrypt certificates for 2022

Because things have changed, I wrote a sequel to my How to get your Let’s Encrypt certificates for 2021 article.

1. Install Python

If you do not have Python yet, run a command prompt as administrator, and type “Python”. If you do not have Python installed yet, the Microsoft Store will open, from where you should install Python.

Downloading Python from the Microsoft Store by typing “python” into a command line window.

2. Install Certbot

In the same command prompt, enter “pip install certbot”, to install Certbot.

pip install certbot

Certbot successfully installed when the command line output resembles something along these lines:

Collecting certbot
  Downloading certbot-1.27.0-py3-none-any.whl (272 kB)
     ---------------------------------------- 272.4/272.4 kB 1.3 MB/s eta 0:00:00
Collecting josepy>=1.13.0
  Downloading josepy-1.13.0-py2.py3-none-any.whl (29 kB)
Collecting pyrfc3339
  Downloading pyRFC3339-1.1-py2.py3-none-any.whl (5.7 kB)
Collecting ConfigArgParse>=0.9.3
  Downloading ConfigArgParse-1.5.3-py3-none-any.whl (20 kB)
Collecting cryptography>=2.5.0
  Downloading cryptography-37.0.2-cp36-abi3-win_amd64.whl (2.4 MB)
     ---------------------------------------- 2.4/2.4 MB 1.6 MB/s eta 0:00:00
Collecting configobj>=5.0.6
  Downloading configobj-5.0.6.tar.gz (33 kB)
  Preparing metadata (setup.py) ... done
Collecting acme>=1.27.0
  Downloading acme-1.27.0-py3-none-any.whl (48 kB)
     ---------------------------------------- 48.1/48.1 kB 1.2 MB/s eta 0:00:00
Collecting pytz>=2019.3
  Downloading pytz-2022.1-py2.py3-none-any.whl (503 kB)
     ---------------------------------------- 503.5/503.5 kB 1.5 MB/s eta 0:00:00
Requirement already satisfied: setuptools>=41.6.0 in c:\program files\windowsapps\pythonsoftwarefoundation.python.3.10_3.10.1264.0_x64__qbz5n2kfra8p0\lib\site-packages (from certbot) (58.1.0)
Collecting parsedatetime>=2.4
  Downloading parsedatetime-2.6-py3-none-any.whl (42 kB)
     ---------------------------------------- 42.5/42.5 kB 1.0 MB/s eta 0:00:00
Collecting pywin32>=300
  Downloading pywin32-304-cp310-cp310-win_amd64.whl (12.1 MB)
     ---------------------------------------- 12.1/12.1 MB 1.3 MB/s eta 0:00:00
Collecting distro>=1.0.1
  Downloading distro-1.7.0-py3-none-any.whl (20 kB)
Collecting zope.component
  Downloading zope.component-5.0.1-py2.py3-none-any.whl (68 kB)
     ---------------------------------------- 69.0/69.0 kB 1.8 MB/s eta 0:00:00
Collecting zope.interface
  Downloading zope.interface-5.4.0.tar.gz (249 kB)
     ---------------------------------------- 249.3/249.3 kB 1.1 MB/s eta 0:00:00
  Preparing metadata (setup.py) ... done
Collecting requests-toolbelt>=0.3.0
  Downloading requests_toolbelt-0.9.1-py2.py3-none-any.whl (54 kB)
     ---------------------------------------- 54.3/54.3 kB 1.4 MB/s eta 0:00:00
Collecting requests>=2.20.0
  Downloading requests-2.27.1-py2.py3-none-any.whl (63 kB)
     ---------------------------------------- 63.1/63.1 kB 1.7 MB/s eta 0:00:00
Collecting PyOpenSSL>=17.3.0
  Downloading pyOpenSSL-22.0.0-py2.py3-none-any.whl (55 kB)
     ---------------------------------------- 55.8/55.8 kB 1.5 MB/s eta 0:00:00
Collecting six
  Downloading six-1.16.0-py2.py3-none-any.whl (11 kB)
Collecting cffi>=1.12
  Downloading cffi-1.15.0-cp310-cp310-win_amd64.whl (180 kB)
     ---------------------------------------- 180.3/180.3 kB 1.4 MB/s eta 0:00:00
Collecting zope.event
  Downloading zope.event-4.5.0-py2.py3-none-any.whl (6.8 kB)
Collecting zope.hookable>=4.2.0
  Downloading zope.hookable-5.1.0.tar.gz (21 kB)
  Preparing metadata (setup.py) ... done
Collecting pycparser
  Downloading pycparser-2.21-py2.py3-none-any.whl (118 kB)
     ---------------------------------------- 118.7/118.7 kB 986.0 kB/s eta 0:00:00
Collecting charset-normalizer~=2.0.0
  Downloading charset_normalizer-2.0.12-py3-none-any.whl (39 kB)
Collecting certifi>=2017.4.17
  Downloading certifi-2022.5.18.1-py3-none-any.whl (155 kB)
     ---------------------------------------- 155.2/155.2 kB 2.3 MB/s eta 0:00:00
Collecting idna<4,>=2.5
  Downloading idna-3.3-py3-none-any.whl (61 kB)
     ---------------------------------------- 61.2/61.2 kB 3.2 MB/s eta 0:00:00
Collecting urllib3<1.27,>=1.21.1
  Downloading urllib3-1.26.9-py2.py3-none-any.whl (138 kB)
     ---------------------------------------- 139.0/139.0 kB 1.2 MB/s eta 0:00:00
Using legacy 'setup.py install' for configobj, since package 'wheel' is not installed.
Using legacy 'setup.py install' for zope.interface, since package 'wheel' is not installed.
Using legacy 'setup.py install' for zope.hookable, since package 'wheel' is not installed.
Installing collected packages: pywin32, pytz, parsedatetime, zope.interface, zope.hookable, zope.event, urllib3, six, pyrfc3339, pycparser, idna, distro, ConfigArgParse, charset-normalizer, certifi, zope.component, requests, configobj, cffi, requests-toolbelt, cryptography, PyOpenSSL, josepy, acme, certbot
  Running setup.py install for zope.interface ... done
  Running setup.py install for zope.hookable ... done
  WARNING: The script distro.exe is installed in 'C:\Users\hanne\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.10_qbz5n2kfra8p0\LocalCache\local-packages\Python310\Scripts' which is not on PATH.
  Consider adding this directory to PATH or, if you prefer to suppress this warning, use --no-warn-script-location.
  WARNING: The script normalizer.exe is installed in 'C:\Users\hanne\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.10_qbz5n2kfra8p0\LocalCache\local-packages\Python310\Scripts' which is not on PATH.
  Consider adding this directory to PATH or, if you prefer to suppress this warning, use --no-warn-script-location.
  Running setup.py install for configobj ... done
  WARNING: The script jws.exe is installed in 'C:\Users\hanne\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.10_qbz5n2kfra8p0\LocalCache\local-packages\Python310\Scripts' which is not on PATH.
  Consider adding this directory to PATH or, if you prefer to suppress this warning, use --no-warn-script-location.
  WARNING: The script certbot.exe is installed in 'C:\Users\hanne\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.10_qbz5n2kfra8p0\LocalCache\local-packages\Python310\Scripts' which is not on PATH.
  Consider adding this directory to PATH or, if you prefer to suppress this warning, use --no-warn-script-location.
Successfully installed ConfigArgParse-1.5.3 PyOpenSSL-22.0.0 acme-1.27.0 certbot-1.27.0 certifi-2022.5.18.1 cffi-1.15.0 charset-normalizer-2.0.12 configobj-5.0.6 cryptography-37.0.2 distro-1.7.0 idna-3.3 josepy-1.13.0 parsedatetime-2.6 pycparser-2.21 pyrfc3339-1.1 pytz-2022.1 pywin32-304 requests-2.27.1 requests-toolbelt-0.9.1 six-1.16.0 urllib3-1.26.9 zope.component-5.0.1 zope.event-4.5.0 zope.hookable-5.1.0 zope.interface-5.4.0

3. Add the Python directory to PATH

If you installed Python via the Microsoft Store, do the steps here. If you installed it in some other way, you don’t need to do this step.

As shown in the command line output, you now need to add “C:\Users\hanne\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.10_qbz5n2kfra8p0\LocalCache\local-packages\Python310\Scripts” (or similar) to your PATHs. On Windows, this translates to adding this folder to your “Path” environment variable:

This window can be found under Windows’ “System properties” control panel item.

To proceed, add the folder referenced above to “Path” by clicking “Edit” and appending the string that’s already there:

Adding the path to the “Path” environment variable in Windows

Now, restart Windows in order for the added environment variable to work.

4. Use Certbot to generate your Let’s Encrypt certificates

Next, still in the same command prompt, enter “certbot certonly –manual”:

certbot certonly --manual

The first time around, you’ll need to go through some minor setup and red tape. You’ll need to go through the next 3 steps immediately below only the first time you run Certbot.

5. Accept or decline future email reminders

I politely answered with my email address to the first “Enter email address (used for urgent renewal and security notices) (Enter 'c' to cancel):” question, since I find quite handy the non-obtrusive reminder Let’s Encrypt sends me whenever one of my certificates is about to expire.

Then comes the second point of order, which I had to “(A)gree” with, since “(C)ancel“ling reading and agreeing to Let’s Encrypt’s Terms of Service results in going home without an SSL certificate.

6. Agree to the license (or don’t)

Therefore, press “Y” when you see this and agree, if you agree:

Please read the Terms of Service at https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must agree in order to register with the ACME server at https://acme-v02.api.letsencrypt.org/directory

(Y)es/(N)o:

7. Don’t share your email address with EFF (or do)

Whatever you prefer, but I said no to the next bit:

Would you be willing, once your first certificate is successfully issued, to share your email address with the Electronic Frontier Foundation, a founding partner of the Let's Encrypt project and the non-profit organization that develops Certbot? We'd like to send you email about our work encrypting the web, EFF news, campaigns, and ways to support digital freedom.

(Y)es/(N)o: N

8. Enter your domain name(s)

As mentioned, the previous steps are only necessary upon first run. Next up is the first “true” step, to which I naturally answered with my domain, and the www.-prefixed version of it:

Account registered. Please enter in your domain name(s) you would like on your certificate (comma and/or space separated) (Enter 'c' to cancel): www.barbez.eu,barbez.eu

9. Establishing trust, a.k.a. the main part

It is imperative to be precise during this step.

To ensure you are the owner of the domain(s) you’re applying to get SSL certificates for, you’ll need to create as many files as the number of domains given under step “4 – Enter your domain name(s)”. In my case, I did this twice:

Create a file containing just this data: ysGvkxI_GBHgqXXXXXXXXXXXXXXBeNa6MALObvsyRsAQ
And make it available on your web server at this URL:
http://barbez.eu/.well-known/acme-challenge/ysGvXXXXXXXXXXXXXXXXfpDRy4

Press Enter to Continue

(This must be set up in addition to the previous challenges; do not remove, replace, or undo the previous challenge tasks yet.)

At this point, you’ll need to open Windows’ Notepad, and copy e.g. ‘ysGvkxI_GBHgqXXXXXXXXXXXXXXBeNa6MALObvsyRsAQ‘ (whatever is the value presented in your case) into a new file, and name that fileysGvXXXXXXXXXXXXXXXXfpDRy4‘ (or whatever is the value presented in your case).

Note this file cannot contain an extension, so e.g. this won’t work: ysGvXXXXXXXXXXXXXXXXfpDRy4.txt.

Each time you have copied the contents to the file, and have saved the file, you need to upload the file to your web server or web host.

While doing so, ensure your newly created file(s) is/are available. Copy the link to your browser, and check if you see the contents of you copied in earlier. If not, allow browsing to files without extension, and disable any HTTP to HTTPS redirects you may have configured. Whatever you do, don’t press ENTER until you’ve verified this.

In case of trouble, check your .htaccess in your publichtml folder (for most Linux-based hosting environments via e.g. cPanel file browser). Or, in web.config in ASP.NET apps, or some apps hosted in a Microsoft Azure Web App resource (again, depending on its configuration). But that’s out of scope of the actual creation of an SSL certificate.

10. You’re done! Almost.

If you can see your file in Chrome or Firefox, you can now press ENTER. If all went well, you’ll get:

Waiting for verification…
Cleaning up challenges

IMPORTANT NOTES:
Congratulations! Your certificate and chain have been saved at:
C:\Certbot\live\www.barbez.eu\fullchain.pem


Your key file has been saved at:
C:\Certbot\live\www.barbez.eu\privkey.pem

Your cert will expire on 2021-03-02. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew all of your certificates, run "certbot renew"
Your account credentials have been saved in your Certbot configuration directory at C:\Certbot. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal.
If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

Yes, as it says, congratulations! You can now go to the folder from this final output (in my case: C:\Certbot\live\www.barbez.eu\) and open all the files in Notepad.

From here, you can start copy-pasting the certificates from Notepad and into the private/public key stores provided by e.g. cPanel.

Leave a Comment

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.