Get HTTPS for free! Update: Added wildcard certificate support!

ERROR: Your browser is not compatible with this website (this website needs WebCryptoAPI's crypto.subtle.digest()). Please upgrade to a modern browser (Firefox, Chrome, Safari, Edge, IE 11+).

NEVER asks for your private keys. Never trust a website that asks for your private keys! You can now get free https certificates (incuding wildcard certificates) from the non-profit certificate authority Let's Encrypt ! This is a website that will take you through the manual steps to get your free https certificate so you can make your own website use https! This website is open source andasks for your private keys. Never trust a website that asks for your private keys!

NOTE: This website is for people who know how to generate certificate signing requests (CSRs)! If you're not familiar with how to do this, please use the official Let's Encrypt If you're not familiar with how to do this, please use the official Let's Encrypt official client that can automatically issue and install https certificates for you. This website is designed for people who know what they are doing and just want to get their free https certificate.

If you need to renew a certificate, simply complete these steps below again.

Step 1: Account Info

Let's Encrypt requires that you register an account email and public key before issuing a certificate. The email is so that they can contact you if needed, and the public key is so you can securely sign your requests to issue/revoke/renew your certificates. Keep your account private key secret! Anyone who has it can impersonate you when making requests to Let's Encrypt!

Step 2: Certificate Signing Request

This is the certificate signing request (CSR) that you send to Let's Encrypt in order to issue you a signed certificate. It contains the website domains you want to issue certs for and the public key of your TLS private key. Keep your TLS private key secret! Anyone who has it can man-in-the-middle your website!

Step 3: Sign API Requests (waiting...)

Let's Encrypt requires that you sign all of your requests to them with your account private key. Below are the requests that you will need to sign. The commands to do this are generated below so you can copy-and-paste them into your terminal. Be sure to change the account private key location so it points to your real private key.

Step 4: Verify Ownership (waiting...)

Let's Encrypt requires you prove you own the domains you have in your CSR. You can do this by serving a specific file at a specific url under your domains. Below are the files you need to serve along with some copy-and-paste commands you can run on your website to start serving the file. Once you are serving the file on your website, click "I'm now running this on...". After that, you need to tell Let's Encrypt to check the above files to verify ownership of your domains. This request needs to be signed with your account private key. Below are the verification requests that you will need to sign. The commands to do this are generated below so you can copy-and-paste them into your terminal. Be sure to change the account private key location so it points to your real private key. (how do I do this?)



How to generate this signature:

Copy and paste the command below into your terminal (if your account private key isn't at "./account.key", change "./account.key" in the command to wherever it exists). Copy and paste the hex encoded signature output from the command into the text field below that command. This command requests the challenges you need to complete in order to make sure you control a domain in your certificate order.How to generate this signature: Load set of challenges ( / ):





Challenges: not loaded yet Challenges for: foobar.com Option 1 - python server Option 2 - file-based Option 3 - DNS record

(how do I do this?)

SSH into your domain as someone with sudo permissions:

ssh ubuntu@foobar.com Stop any webserver running on port 80, if any. If you had previously been running another python command, you can kill it with Ctrl+C):

sudo service nginx stop <-- example for nginx

sudo apachectl -k graceful-stop <-- example for apache Copy and paste the python command below into your terminal. This command starts a temporary webserver that serves nothing but the challenge response. You only need to keep this running briefly. Open the link in a new window to make sure it's working:

http://foo.com/.well-known/acme-challenge/aaaaaaaaaaa Click "I'm now running this command..." button when the file is being served on your domain. How to serve the challenge response on your domain: Run this command on foobar.com 's server:

(how do I do this?)

SSH into your domain as someone with write access to your static web directory:

ssh ubuntu@foobar.com Create the ".well-known/acme-challenge/" directory in your webserver's static file path:

mkdir -p /path/to/www/.well-known/acme-challenge/ Add the static folder to your webserver's config (if you haven't already):

server {... Create the file with the necessary contents:

echo ... Open the link in a new window to make sure it's working:

http://foo.com/.well-known/acme-challenge/aaaaaaaaaaa Click "I'm now serving this file..." button when the file is being served on your domain. How to host this file on your server: Under this url:

Serve this content: (how do I do this?)

Log into your domain name provider. Create a new DNS record on foo.com :

Type:

TXT Name/Host/Alias:

_acme-challenge Value/Answer/Destination:

aaaaaaaaaaaaaaaaaaaaaa Time to Live (TTL):

900 Wait until the TXT record is being served (this can take a while).

dig +short @ns.yournameserver.com _acme_challenge.foo.com TXT Click "I can see the TXT record..." button when you can see that new TXT record has propagated. How to set this DNS record: Under this DNS domain:

Set this TXT record:

Step 5: Install Certificate ( waiting... )