SSL certificate from Lets Encrypt in manual mode

In this post, we will obtain Let’s Encrypt SSL certificate in manual mode.

For Which Occassion?

If we don’t have ssh access to the target web server or we’d like to obtain a certificate on a machine other than the target web server and install it manually on the target machine, we can obtain the certificate in manual mode running certbot. But to install SSL certificate in your web domain, the web host must support SSL manager.

Here I’m working through on a Linux machine.

Process to get SSL certificate

First we will download Let’s Encrypt.

git clone https://github.com/letsencrypt/letsencrypt
cd letsencrypt

Now we’ll initiate manual process to obtain certificate only with certonly (obtain certificates only and don’t install) with manual flag.

./letsencrypt-auto certonly --manual

Let’s Encrypt requires root privileges to run. So we will be prompted to enter account password.

Then we will be asked to enter the domain name(s) separated with comma(,) or space for multiple domain names.
We will be then asked if we are OK with our IP being logged.

Then we are required to verify your ownership of the domain. For that, we must have a specified URL with the specified content as described in our web server. For that, we will create a directory name .well-known in public_html and another directory named acme-challenge within .well-known directory in webserver. Then create a file with specified content and file name inside the acme-challenge directory.

mkdir .well-known
cd .well-known
mkdir acme-challenge
cd acme-challenge

public_html
|-- .well-known
    |-- acme-challenge

To verify that we have created the file with the specified content in web server, try browsing the specified url in a web browser. If we get the specified content on browsing, we are good to go. Then we continue by hitting Enter key in Let’s Encrypt window. This process must be repeated for all subdomains we submitted before in domain section for the verification.

Then if all went good, a success message will be displayed with the location of the certificate in our local machine, meaning we have successfully verified the ownership of our domains.

Now what we have left to do is to upload the certificate and key to our web server and install the certificate.

To renew certificates, simply run ‘./letsencrypt-auto renew’.