Let's Encrypt

, previously known as Let's Encrypt client, is certificate authority client.]]

From the official website: "Anyone who has gone through the trouble of setting up a secure website knows what a hassle getting and maintaining a certificate can be. Let’s Encrypt automates away the pain and lets site operators turn on and manage HTTPS with simple commands."

Preliminary
Point an external IP at HTTP (port 80/TCP) and HTTPS (port 443/TCP) at a web server and setup DNS for it. This is important. You have to prove you own the IP/domain. You could use dynamic DNS if necessary.

certbot
app-crypt/certbot Certbot is an easy-to-use automatic client that fetches and deploys SSL/TLS certificates for your web server. Certbot can automatically configure your web server to start serving over HTTPS immediately.

acme-tiny (optional)
app-crypt/acme-tiny is a short, auditable Python script which avoids a lot of the bloat included in the official certbot client:

acme.sh (optional)
Another alternative available in Gentoo is the client:

Automatic configuration for existing web server
Run certbot with the corresponding web-server plugin and domain. Certbot automatically changes the vhost configuration. For example, for nginx:

Automatic signing with temporary certbox webserver
In this configuration certbot will start a wizard and then initiate up a temporary web server instance in order to generate signed certificates. Choose the second option in the list, and follow the wizard. When running an existing web server, first disable the web server before running this mode, then restart the web server when finished (click [Expand] below to see wizard output).

Manual certonly configuration
Run certbot with the corresponding web-server plugin and domain, with the certonly option:

Configure your virtual host. For example, for nginx:

acme-tiny
The documentation on acme-tiny is the best place to look for the most up to date information, but has been summarized below:

Make a directory for challenges to be created in:

Add this to the Apache http vhost; IE port 80 vhost:

Set these in the Apache https vhost; IE port 443 vhost:

Make a directory to hold the various files related to LE:

Create an account key, domain key and a CSR (replace www.example.co.uk with your host name):

Register and create the certificate file:

Reload configs for webserver:

or

or

Sample renewal script:

Add a monthly cron job:

Renewal
Let's encrypt certificates only last 90 days before expiry, thankfully it is easy to renew certificates: run to automatcally renew all certbot certificates on the system. It is reccomended to run this in a cron command, every 60 days.

To renew just a specific domain, run.

acmetiny
For those that are not interested in using scripts or want to configure things manually the first time, the author of acme-tiny has provided a webpage that gives step by step instructions along with javascript to help walk you through setting up your certificates. The guide may be found on Get HTTPS for Free website.

External resources

 * Manual installation - In the event manual installation is preferred. Note: Portage will not track the installation if the Let's Encrypt is manually installed; this is not recommended by Gentoo developers.