This is an old revision of the document!

Let's Encrypt is ready for testing!

This documents is ONLY for NethServer 6


The Let’s Encrypt Client is a fully-featured, extensible client for the Let’s Encrypt CA (or any other CA that speaks the ACME protocol) that can automate >the tasks of obtaining certificates and configuring webservers to use them.


The Let’s Encrypt Client is BETA SOFTWARE. It contains plenty of bugs and rough edges, and should be tested thoroughly
in staging environments before use on production systems.

Prerequisites for testing

1. The server must be reachable from outside at port 80.

 Make sure your port 80 is open to the public Internet, you can check with sites like

2. The fully qualified name (FQDN) of the server must be a public domain name associated to its own public IP.

 Make sure you have a public DNS name pointing to your server, you can check with sites like

How it works

Actual implementation will release a single certificate for server FQDN (Fully Qualified Domain Name).

When you want to access your server, you MUST always use the FQDN, but sometimes the server has multiple aliases. Let's Encrypt can add extra valid names to the FQDN certificate, so you will be able to access the server with other names.


The server FQDN is: with public IP But you want to access the server also using this names (aliases): and

To make it work, the server must:

* have the port 80 open to the public internet: if you access from a remote site you must see NethServer landing page * have a DNS public record for, and All DNS records must point to the public IP address


Install the packages from testing repository:

yum --enablerepo=nethserver-testing install nethserver-base nethserver-httpd nethserver-letsencrypt


Let's Encrypt configuration must be done from command line using the root user. Access the server with a monitor or connect to it with SSH.

Enable Let's Encrypt globally, this will automatically enable the generation of a certificate for the FQDN. Execute:

config setprop pki LetsEncrypt enabled

The FQDN certificate can be extended to be valid also for extra domains configured as server alias. This feature is called SubjectAltName (SAN):

Create a server alias inside the DNS page, then enable Let's Encrypt on the newly created record.

Example for alias:

db hosts setprop LetsEncrypt enabled

You can customize the following options by using config command:

* LetsEncryptMail: if set, Let's Encrypt will send notification about your certificate to this mail address (this must be set before executing the letsencrypt-certs script for the first time!) * LetsEncryptRenewDays: minimum days before expiration to automatically renew certificate (default: 30)


config setprop pki LetsEncryptMail

Since you can request the certificate maximum 5 times per week, let's make sure the configuration is correct by requesting a fake certificate. Execute:

/usr/libexec/nethserver/letsencrypt-certs -v -t

This command will try to generate a fake certificate using Let's Encrypt server. If everything goes well, the output should be something like this:

INFO: Using main config file /tmp/3XhzEPg7Dt
+ Generating account key...
+ Registering account key with letsencrypt...
+ Signing domains...
+ Creating new directory /etc/ ...
+ Generating private key...
+ Generating signing request...
+ Requesting challenge for
+ Responding to challenge for
+ Challenge is valid!
+ Requesting certificate...
+ Checking certificate...
+ Done!
+ Creating fullchain.pem...
+ Done!

Verify the presented certificate has been signed by Let's Encrypt CA on all SSL-enabled services like: If something goes wrong, please make sure all requisites are met!

If your configuration has been validated by the testing step, you're ready to request a new valid certificate. Execute the following script against the real Let's Encrypt server:

/usr/libexec/nethserver/letsencrypt-certs -v


Access your http server and check you'r certificate is valid.

  • developer/letsencrypt.1459503134.txt.gz
  • Last modified: 2016/04/01 04:32
  • by Kristian