Home Wiki > Let’s Encrypt
Sign up | Login

Let’s Encrypt

tagline: From openSUSE

This page provide basic instructions for using Let's Encrypt SSL certificates on your web server. Let's Encrypt SSL is a free CA. The tool is Certbot. Certbot has some cool plugins to read and modify your existing web host configurations, so the installation process is quite simple.

Add repo

Certbot packages are available in official repos for OpenSUSE 42.3 and later.

For OpenSUSE 42.2 and earlier packages are not shipped in official repos. You need to add devel:languages:python repo.

sudo zypper addrepo http://download.opensuse.org/repositories/devel:languages:python/openSUSE_13.2/devel:languages:python.repo

For Leap 42.2 choose this:

sudo zypper addrepo http://download.opensuse.org/repositories/devel:/languages:/python/openSUSE_Leap_42.2/devel:languages:python.repo

Install packages

If you are using Apache as web server:

sudo zypper install certbot python-certbot python-certbot-apache

If you are using Nginx as web server:

sudo zypper install certbot python-certbot python-certbot-nginx

For Leap 42.2 need to upgrade python-cryptography to >= 1.3.4 if needed.

sudo zypper install python-cryptography-1.8.1

Modify configuration

By default, certbot use a test CA, which will only issue invalid SSL certificates. To use production CA of Let's Encrypt, you need to edit /etc/certbot/cli.ini

Change:

# The staging/testing server
server = https://acme-staging.api.letsencrypt.org/directory
# The productive server.
# server = https://acme-v01.api.letsencrypt.org/directory

to:

# The staging/testing server
# server = https://acme-staging.api.letsencrypt.org/directory
# The productive server.
server = https://acme-v01.api.letsencrypt.org/directory

Run

If you are using Apache:

sudo certbot --apache

If you are using Nginx:

sudo certbot --nginx

Then the Certbot reads all your existing Apache/Nginx virtual host config files and determin which domains could enable SSL certificates. After that, you will see an interactive dialog appear:

Certbot dialog choose domains.png

(Sorry for Chinese characters in screenshot. The left button is "OK", and the right is "Cancel")

In above dialog, use Up and Down to navigate, Space key to select/unselect domains that you want to apply HTTPS connection. Then press Enter key. Next screen:

Certbot dialog redirect.png

You can those whether to redirect HTTP to HTTPS or not. Redirect is recommand for security. If security is what you want, choose Secure. However, if you have some clients requiring HTTP, choose Easy. Then press Enter. Next screen:

Certbot dialog success.png

You do NOT need to restart Apache or Nginx server.

Test in browser

Open your web browser, visit your website start with "https://" and see if you get a green lock symbol before the URL, and here is no warnings.

You can also test your website on SSL Labs.

Automate renew

Let's Encrypt certificates are only valid for 90 days. To reduce your work, we recommend using Crontab to run renew job every month.

Edit /etc/cron.d/certbot.cron, and uncomment the renew line:

# renew all certificates methode: renew
10 5 1 * *  root    /usr/bin/certbot renew

Reference