Configuring a host to use a free certificate from Let's Encrypt

In this quick tutorial, we explain how to create an ACME account which will later be used to request, install, and renew free certificates automatically from Let's Encrypt.

ACME? Let's Encrypt?

Some quick definitions are required before diving in the tutorial:

  • ACME is the name of the communication protocol that is used between a client and a automated certificate authority to request and retrieve SSL/TLS certificates with no (or very little) human interaction.
  • Let's Encrypt is a certification authority that provides free certificates using the ACME protocol. Although the service is free, the certificates are recognized by all modern browsers similarly to those delivered by classical certification authorities who charge to deliver theirs.

Creating a private key for the ACME account

  • Open the console
  • Select SSL/TLS certificates
  • Press Add in the Private Keys table
  • In the displayed form, enter LE Key in Name
  • Set Action to Generate
  • Set Type to RSA 2048. You can choose a higher key length but 2048 is the recommended length for such uses. Note that any value equal or below 1024 will not be accepted by the ACME certificate authority later on.
  • Press OK.

A new private key named LE Key should now be available in the private keys table.

Declaring an ACME account

  • Now press Edit in front of the ACMEBot Parameters
  • Press Add in the ACME Accounts table
  • In the displayed form, enter LE Account in Name
  • Set Directory URL to Let's Encrypt ACME v2
  • Set Private Key to LE Key (the name of the private key generated previously)
  • Set Contact Email to your email address. This address will be used by the Let's Encrypt certification authority to notify you about certificate issues and renewals.
  • Press OK to finish declaring the account.
  • Press OK twice to go back to the main console screen

Configuring a host to use an ACME certificate

  • In the console's main screen, locate the Hosts table
  • Press Configure associated with the host that will use an ACME certificate
  • Click on the General icon
  • Set Protocol to HTTPS or HTTP+HTTPS
  • Set Certificate Type to From an ACME account
  • Set ACME Account to the LE Account (the name of the account created previously)
  • Ensure that the host has at least one name in the Host Names table. If the host has many names, a certificate with multiple domain names will be generated. If the host has a wildcard name associated with it such as *, some restrictions may apply by Let's Encrypt which will only deliver a certificate for * and
  • Press OK
  • Press Restart

After a server restart, the Hosts table will show the updated host with a Status containing HTTPS: Waiting for certificate. You can also check the state of the ACMEBot by selecting SSL/TLS certificates in the console and then pressing View next to ACMEBot Status.

The ACMEBot Status s/creen will report queued operations, certificates that require that you perform a manual challenge to prove you have control over a domain name, and errors. That screen is refreshed every 10 seconds.

If everything goes fine, after a few seconds, the ACMEBot will negotiate with the Let's Encrypt certification authority a new certificate and it will restart the server automatically after installing it. In such a case, the host's status will report Running.

See also

Keep in touch with us

Sign up for our low volume newsletter to get product announcements, articles and power tips.