How to obtain TLS certificate using ACME protocol on Linux

Following tutorial explains automatical acquisition and following deployment on your Linux server using Certbot, automated tool for administration and removal of certificates. These instructions describe Apache server in particular, however Certbot is available for nginx, Haproxy and Plesk servers as well. It is distributed under open software license, therefore it is available for free.

Preparing to obtain the certificate

In order to enable automated certificate acquisition and deployment, it is necessary to contact our Technical Support first and follow a simple individual procedure for each of our customers.

  • First step is authorization of you and the domains you would like to secure. This needs to be done in conjunction with SSLmarket Support which handles this.
  • After successful authorization, we will create a unique ACME Directory URL at the certification authority. This URL will be used by your ACME client (Certbot in this case) in order to obtain the certificate. ACME Directory URL is unique for each customer and product. It is not possible to use single URL for several customers.
  • ACME Directory URL je unikátní pro každého zákazníka a produkt. Nelze použít jedno URL pro více zákazníků.

Preparing Certbot on the server:

Install Certbot on your server. We recommend using modules appropriate for your webserver type. Modules make it easier to select the target site for deploying the certificate and can work directly with the server configuration (making certificate installation easier).

Note: Certbot Certbot official homepage and follow step-by-step instructions.

Issuing and installing certificates

Using Terminal, request the certificate by entering command below:
sudo certbot --apache --register-unsafely-without-email --server “Vaše ACME Directory URL” -d www.domainname.cz -d domainname.cz
The command works in this manner:

  • Certbot – executes Certbot
  • --apache – select Apache plugin which installs the certificate.
  • --register-unsafely-without-email – enables skipping of ACME account creation.
  • --server – selects ACME server used to fulfill your request by ACME Directory URL
  • - d – full domain name for which you want the certificate issued. If you do not use this parameter, Cerbot will prompt you to confirm domain names which you want to include in your request based on the vhost configuration

After entering the command, you will be prompted whether you want to enable forced redirect to HTTPS protocol on the domain: Output
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
-------------------------------------------------------------------------------
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel):

You enter the number and confirm it by pressing ENTER. Your configuration will be set and it will be loaded after the web server reboots. Afterwards, you will be informed that your request was successfully fulfilled and where are your certificates located: Output
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/example.com/fullchain.pem. Your cert will
expire on 2017-10-23. To obtain a new or tweaked version of this
certificate in the future, simply run certbot again with the
"certonly" option. To non-interactively renew *all* of your
certificates, run "certbot renew"
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

Certbot installs the necessary Intermediate certificate, You can use our online tool for verification of correct installation..

General notes

There are several rules restricting certificate issue automation, please pay attention to the following:

  • DV certificates are currently not supported
  • Authorization of company and domains is needed before the certificates can be issued
  • Preventing needs to be done on the domains. It consists of two steps:
    • 1. DCV, domain validation (e-mail, DNS, TXT)
    • 2. Verfied domain is assigned to the verified company and can be used by that company
  • ACME Directory URL is unique for each product and company, therefore you may need more of the URLs
This tutorial covers typical scenario, please consider your individual server settings.