How to Configure Let's Encrypt with acme_tiny.py

Overview

Who are you ?

You maintain one or more web Apache or Nginx servers on Unix/Linux systems. You do so by maintaining the httpd.conf by hand — ie not via a configuration wizard. You like to understand what you are doing — not just apply a recipe and hope that it works.

Why are you here ?

You have been meaning to get round to this for some time, but have not because of one or more of ...

• You don't quite understand the OpenSSL configuration file
• You don't like Let's Encrypt's certbot — it does too much, like hacking your configuration
• You want to use acme-tiny, but need a little help
• You haven't had the time to get your head round it all.

What you will find here

Notes and scripts that will let you set this all up in about an hour.

There are a set of pages that explain what and why needs to be done, also some simple scripts to help with the setup and running of Let's Encrypt interaction. A simple template OpenSSL.cnf file is provided with explanation of how you tweak it for your site.

You will need to reconfigure Apache/Nginx in two phases.

You can start by downloading the latest LetsEncryptManage

These instructions work with both Apache 2.2 & 2.4 and also Nginx. The tar file contains some snippets of sample configuration file.

This includes acme_tiny which you can see at https://github.com/diafygi/acme-tiny

Pages in this tutorial

1. Big picture — why do we SSL need certificates anyway ?
2. How Let's Encrypt works
3. OpenSSL Certificate families and Let's Encrypt Accounts
4. Overview of how phcl_acme works with acme_tiny
5. Install of phcl_acme
6. Understanding and generating OpenSSL.cnf files
7. First edit of Apache configuration — for Let's Encrypt challenge-response
8. Generate, test & ask Let's Encrypt to sign a Certificate Signing Request
9. Second edit of Apache configuration to install certificates
10. Ongoing maintenance
11. Chaining Let's Encrypt Certificates
12. Using Let's Encrypt certificates in a non web environment