Getting a cert from

This post explains how to get your first certificate from Everyone can get a free and valid certificate for any of the domains that you own. The following steps have been tested on a fresh install of Ubuntu 14.04.

Getting the software

Let’s start with installing git. This is required to get the letsencrypt software. Note that I have been running all commands as root. Maybe this is not required for all steps, but since some of the following commands are installing software, you’ll need to have root rights for those steps.

root@certserver:~# apt-get install git

Git and all of its dependencies will now install. When finished, we use git to fetch the latest version of letsencrypt.

root@certserver:~# git clone
Cloning into 'letsencrypt'...
remote: Counting objects: 25493, done.
remote: Compressing objects: 100% (45/45), done.
remote: Total 25493 (delta 21), reused 0 (delta 0), pack-reused 25448
Receiving objects: 100% (25493/25493), 6.72 MiB | 2.91 MiB/s, done.
Resolving deltas: 100% (17859/17859), done.
Checking connectivity... done.

Now change directory and execute the main install script.

root@certserver:~# cd letsencrypt/
root@certserver:~/letsencrypt# ./letsencrypt-auto

This wil take some time and install lots of packages. After a few minutes, the installation ended and these were the last 2 lines printed.

Running with virtualenv: /root/.local/share/letsencrypt/bin/letsencrypt
No installers seem to be present and working on your system; fix that or try running letsencrypt with the "certonly" command

The message is displayed because no supported webserver is installed on my server. In my case that’s normal as I did not install Apache or Nginx on this freshly installed server. My only goal was to get certificates for my domain and that can be accomplished with the “certonly” command.

Requesting your first certificates

Note that I added the “-t” option to stay in text mode and not ncurses. Just to make it easier to copy and paste the output on this document.

 root@certserver:~/letsencrypt# ./letsencrypt-auto certonly -t
Enter email address (used for urgent notices and lost key recovery) (Enter 'c'
to cancel):

Give them your email address.
Next you’ll have to read and agree to the Term of Service. After you accept the ToS, pay attention to the most important step of the process. You have to enter your domain names.

Please enter in your domain name(s) (comma and/or space separated)  (Enter 'c'
to cancel):

I suggest to list all domains for which you would to request a certificate. In my case this would be

If all went fine, you’ll see the following message.

 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/ Your cert will
   expire on 2016-03-09. To obtain a new version of the certificate in
   the future, simply run Let's Encrypt again.
 - If like Let's Encrypt, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:
   Donating to EFF:          


Possible errors

Failed authorization procedure. (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Correct zName not found for TLS SNI challenge.

If you get this error check these 2 things:

  • Is the domainname resolving to the IP address of the server?
  • Is the server reachable on port 80 and 443 from the internet?
    These 2 items are required to check ownership of the domain. And obviously you need to control the domain to get a cert from

  • 1 thought on “Getting a cert from

    1. Pingback: HPKP with Letsencrypt certificates - Thomas Elsen Security Blog

    Leave a Reply

    Your email address will not be published. Required fields are marked *