certbot, previously known as Let's Encrypt client, is a free, automated, and open certificate authority client.
From the official website: "Anyone who has gone through the trouble of setting up a secure website knows what a hassle getting and maintaining a certificate can be. Let’s Encrypt automates away the pain and lets site operators turn on and manage HTTPS with simple commands."
Point an external IP at HTTP (port 80/TCP) and HTTPS (port 443/TCP) at a web server and setup DNS for it. This is important. You have to prove you own the IP/domain. You could use dynamic DNS if necessary.
The ebuild for the official client can be tricky to set up. It is helpful to read the official documentation and official installation instructions (select Gentoo from the Operating System dropdown) before proceeding with this article.
emerge --ask app-crypt/certbot
app-crypt/acme-tiny is a short, auditable Python script which avoids a lot of the bloat included in the official client.
It is currently available in the NP-Hardass' overlay:
layman -a np-hardass-overlay
emerge --ask app-crypt/acme-tiny
The documentation on  is the best place to look for the most up to date information, but has been summarized below:
Make a directory for challenges to be created in:
Add this to the Apache http vhost; IE port 80 vhost:
Alias /.well-known/acme-challenge/ /var/www/localhost/acme-challenge/ <Directory /var/www/localhost/acme-challenge/> AllowOverride None Require all granted </Directory>
Set these in the Apache https vhost; IE port 443 vhost:
SSLCertificateFile /var/lib/letsencrypt/chained.pem SSLCertificateKeyFile /var/lib/letsencrypt/domain.key
Make a directory to hold the various files related to LE:
Create an account key, domain key and a CSR (replace www.example.co.uk with your host name):
openssl genrsa 4096 > account.key
openssl genrsa 4096 > domain.key
openssl req -new -sha256 -key domain.key -subj "/CN=www.example.co.uk" > domain.csr
Register and create the various certificate files: Check let's encrypt currently used intermediate certificate
/usr/bin/acme-tiny --account-key ./account.key --csr ./domain.csr --acme-dir /var/www/localhost/acme-challenge/ > ./signed.crt
wget -O - https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem > intermediate.pem
cat signed.crt intermediate.pem > chained.pem
Reload configs for webserver:
service apache2 reload
service nginx reload
service lighttpd reload
Sample renewal script:
#!/bin/sh /usr/bin/acme-tiny --account-key /var/lib/letsencrypt/account.key --csr /var/lib/letsencrypt/domain.csr --acme-dir /var/www/localhost/acme-challenge/ > /var/lib/letsencrypt/signed.crt || exit wget -O - https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem > intermediate.pem cat /var/lib/letsencrypt/signed.crt intermediate.pem > /var/lib/letsencrypt/chained.pem service apache2 reload
Add a monthly cron job:
# Renew Lets Encrypt certificate 0 0 1 * * /usr/local/bin/renew-le-cert.sh 2>> /var/log/acme_tiny.log
letsencrypt [SUBCOMMAND] [options] [-d domain] [-d domain] ... The Let's Encrypt agent can obtain and install HTTPS/TLS/SSL certificates. By default, it will attempt to use a webserver both for obtaining and installing the cert. Major SUBCOMMANDS are: (default) run Obtain & install a cert in your current webserver certonly Obtain cert, but do not install it (aka "auth") install Install a previously obtained cert in a server revoke Revoke a previously obtained certificate rollback Rollback server configuration changes made during install config_changes Show changes made to server config during installation plugins Display information about installed plugins Choice of server plugins for obtaining and installing cert: (the apache plugin is not installed) --standalone Run a standalone webserver for authentication (nginx support is experimental, buggy, and not installed by default) --webroot Place files in a server's webroot folder for authentication OR use different plugins to obtain (authenticate) the cert and then install it: --authenticator standalone --installer apache More detailed help: -h, --help [topic] print this message, or detailed help on a topic; the available topics are: all, automation, paths, security, testing, or any of the subcommands or plugins (certonly, install, nginx, apache, standalone, webroot, etc)
- Apache - The most popular HTTP server used the Internet.
- Nginx - A small, robust, and high-performance HTTP server and reverse proxy.
- Lighttpd - a very lightweight HTTP server.
- Manual installation - In the event manual installation is preferred. Note: Portage will not track the installation if the Let's Encrypt is manually installed; this is not recommended by Gentoo developers.