From ArchWiki
Revision as of 13:21, 24 January 2016 by Cyph3r (talk | contribs) (Added systemctl commands to start timer for users unfamiliar with timers.)
Jump to navigation Jump to search

Let’s Encrypt is a free, automated, and open certificate authority. It provides tools to request valid ssl certificates straight from the command line.


Install the letsencrypt package.

Automated configuration and installation of the issued certificates in web servers is provided by plugins:


Please consult the Let’s Encrypt client documentation on how to create and install certificates. This wiki will be expanded as soon as certificate installation methods have been crystallized out.


Note: With this method, you must temporarily stop your web server. You can also run the verification through your already running web server with the #Webroot method.

If there is no plugin for your web server, use the following command:

# letsencrypt certonly --manual

This will automatically verify your domain and create a private key and certificate pair. These are placed in /etc/letsencrypt/live/your.domain/.

You can then manually configure your web server to use the key and certificate in that directory.


You can use the webroot method to get/renew certificates with a running webserver (e.g. Apache/nginx).

Description=Letsencrypt manual renewal

ExecStart=/usr/bin/letsencrypt certonly --agree-tos --renew-by-default --email email@example.com --webroot -w /path/to/html/ -d your.domain

Make sure the server configuration for the certificates points to /etc/letsencrypt/live/your.domain/.

Before adding a timer, check that the service is working correctly and not trying to prompt anything.

Then, you can add a timer to renew the certificates monthly.

Description=Monthly renewal on letsencrypt's certificates



And start both timer and service with:

systemctl daemon-reload
systemctl enable letsencrypt.timer
systemctl start letsencrypt.timer
systemctl start letsencrypt.service 

If the new certificate is not visible you might have to also restart nginx.service.