[Updated 11/17 to reflect deprecation of Let’s Encrypt Mac OSX client.]

What’s not to love about the free SSL certificates from Let’s Encrypt? They’re pretty simple to install, they’re secure, and — best of all — they’re free.

The only downside is that they’re good for just 90 days (they do have their reasons) so renewal is a process one will get used to pretty quickly.

Need to deploy a Let’s Encrypt SSL certificate?

Before you begin, you’ll need:

• SSH access to the GoDaddy account enabled and, ideally, secured with a public / private key
• Certbot (and all dependencies) installed locally

Generating the certificates

1. Initiate certbot:

   sudo certbot certonly --manual

2. Enter the root password when prompted.
3. Enter the domain(s) when prompted:

   Please enter in your domain name(s) (comma and/or space separated)  (Enter 'c' to cancel):

   If the site has an htaccess redirect from www to non-www (or vice versa) only include the non-redirected domain configuration. If, for example, our site is being redirected from www to non-www, only enter the non-www version of the domain.

   If you generate the certificate with both www and non-www versions of the domain included where only one is supported, the certificate will fail on verification.

4. When prompted, type Y to accept having your IP address logged with the certificate request. (Assuming you are. If you aren’t, fire up your VPN and Tor and restart the process.)
5. Cerbot will return a block of text like this (specific data replaced with [description]):

   ------------------------------------------------------
   Create a file containing just this data:
   
   [filename].[key]
   
   And make it available on your web server at this URL:
   
   http://[domain]/.well-known/acme-challenge/[filename]
   
   -------------------------------------------------------
   Press Enter to Continue

6. In a second Terminal window, SSH to the remote host and navigate to the root web directory for this domain. If the domain being secured is the primary domain being hosted, this would be ~/public_html.
7. Create the necessary directories:

   mkdir -p .well-known/acme-challenge

8. Create the challenge file and write the data to it:

   printf "%s" [filename].[key] > .well-known/acme-challenge/[filename]

9. Change permissions of the generated file:

   chmod -R 0644 .well-known

10. Back in the first Terminal window, press ENTER. You should receive a success message:

    IMPORTANT NOTES:
     - Congratulations! Your certificate and chain have been saved at
       /etc/letsencrypt/live/[domain]/fullchain.pem.
       Your key file has been saved at:
       /etc/letsencrypt/live/[domain]/privkey.pem
       Your cert will expire on [YYYY-MM-DD]. To obtain a new or tweaked
       version of this certificate in the future, simply run certbot
       again. To non-interactively renew *all* of your certificates, run
       "certbot renew"
    

    If you don’t, see Troubleshooting below.

Updating the certificates

Now that the certificates have been successfully generated, it’s time to update them on the site.

1. Log into your GoDaddy account, then click through to the cPanel (click the + next to Web Hosting, then click the green MANAGE button for the domain you’re securing).
2. Scroll down to “Security” and click “SSL/TLS”.
3. Under “Install and Manage SSL for your site (HTTPS)” click the “Manage SSL sites.” link.
4. Scroll down to the domain you’re securing, then click the “Update Certificate” link in the “Actions” column on the right.
5. Back in the first Terminal window, open fullchain.pem in an editor:

   sudo cat /etc/letsencrypt/live/[domain]/fullchain.pem

6. The file will contain 2 certificates, each starting with -----BEGIN CERTIFICATE----- and ending with -----END CERTIFICATE-----. Copy the entirety of the first certificate, including the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- tags, then exit the editor.
7. Paste the certificate text into the “Certificate: (CRT)” textarea. A green checkmark should appear to the right of the textarea, as well as a green “Autofill by Certificate” button.
8. Click the green “Autofill by Certificate” button. This should autofill the Certificate Authority Bundle in the third textarea. If not, cut and paste the second certificate from your Terminal window into the third textarea.
9. Back in the first Terminal window, close fullchain.pem, then open privkey.pem in an editor:

   sudo cat /etc/letsencrypt/live/[domain]/privkey.pem

10. Copy the entire contents of the file, then exit the editor.
11. Paste the text into the “Private Key (KEY)” textarea. A green checkmark should appear to the right of the textarea.
12. Scroll down to the bottom of the page and click the green “Install Certificate” button. All going well you should see a success message.
13. Test the SSL to confirm everything’s properly set up.

A final, optional step is to return to the SSL Manager, then click “Certificates (CRT)”. This will load an overview of all certificates installed for this domain. Click the “Delete” link in the “Actions” column (far right) for any expired or soon-to-expire certificates.

You have 90 days until the process will need to be repeated.

Troubleshooting

Try loading the test URL in a browser, as provided in the initial output:

http://[domain]/.well-known/acme-challenge/[filename]

Another way of testing for this file is by using wget from the command-line, in a terminal window:

wget http://[domain]/.well-known/acme-challenge/[filename]

I prefer this method as you can view the actual response from the server, instead of just your site’s 404 error page.

Assuming you receive a 404 error, here are some possible causes:

1. The file isn’t there
   Confirm this by navigating to ~/public_html/.well-known/acme-challenge/ and looking for the appropriately-named file. If not found, run the printf command again.
2. The file or containing directory has been created with excessively-restrictive permissions
   Reset permissions (recursively) via the command-line: chmod -R 0644 ~/public_html/.well-known/
3. Interference from rewrite rules
   If you have rewrite rules in your .htaccess file that might affect viewing that file — such as redirecting from HTTP to HTTPS or preventing access to files and folders starting with a dot — comment out those rules one by one, running the wget command after each, until the problem is solved. Don’t forget to uncomment any rules after you’ve verified the file and generated your keys.