18 comments

[ 3.5 ms ] story [ 58.8 ms ] thread
I was going to ask about browser trust but their FAQ (https://community.letsencrypt.org/t/frequently-asked-questio...) addressed it. If others are curious:

> Are certificates from Let’s Encrypt trusted by my browser?

The short answer is “yes”.

The long answer is that our issuing intermediates are cross-signed by a widely trusted IdenTrust root531. This allows our certificates to be trusted while we work on propagating our own root. Most platforms that trust that root should trust Let's Encrypt certs. One notable exception is Windows XP, which currently doesn't accept our intermediate630.

The configuration listed unfortunately doesn't work for the www version of the domain - Let's Encrypt requires individual certificates for the naked domain and each subdomain, including www.

Nginx configuration needs to handle the two (or more, depending on subdomains) certificates.

Let's Encrypt is a great initiative and hope that they can support nginx auto-renewal!

> Let's Encrypt requires individual certificates

That's not accurate - you can have up to n[0] domains on a single certificate

[0]: I don't remember the exact number, but it's more than 2 at least.

excellent stuff...install and ran their package on my box with apache2 and was SSL'd in 2 minutes flat. will visit again.
How do I get this to work on a shared webserver? I don't have root and need a cert I can upload on their backend system, so more than 90 days would be a requirement.
Lets Encrypt only generates certs with a 90 day expiry, so if longer than that is a requirement for you then you need to look elsewhere.

You won’t be able to use the automated letsencrypt scripts to generate a cert either - you’ll have to use something like acme-tiny (it’s on github) and edit it to upload the proof-of-site-ownership challenge files to the appropriate place on your shared hosting (unless the letsencrypt script already lets you do this? Worth a quick look.)

Thanks for the tutorial!
I've built a small Ansible role to generate a certificate and configure it for automatic monthly renewal.

It isn't really set up to handle all possible scenarios, so I only made it available as a gist as opposed to a full role available in the Ansible Galaxy. For example, it expects an Apache virtual host to be configured already instead of allowing Let's Encrypt handle it - I do this in another role specifically set up to handle Apache.

https://gist.github.com/JamesChevalier/a5d78be0febfe505a7e5