Let’s Encrypt And WoSign – How To Get A Valid SSL Certificate Absolutely Free

Update 05.12.2015: Let’s Encrypt without ssh and renew/revoke instructions

Today the SSL certificate from the top SSL providers costs ~$50-100 – big money for non-commercial websites and bloggers. But some peoples can change it just now. In this article I try to describe a practical guide for getting a free as a beer certificate for your blog, website or e-mail. There are two ways:

Let’s Encrypt

Let’s Encrypt – certificate authority that provides free X.509 certificates for TLS encryption. Founders and sponsors – Electronic Frontier Foundation(EFF), Akamai, Mozilla Foundation, Cisco, Linux Foundation and many others. Let’s Enrypt own a RSA root certificate cross-signed by an IdenTrust certificate authority.

Note: Service currently works in public beta stage and not recommend to use in enterprise. All certificates is valid 90 days only. LE official client can get, install and renew the certificates automatically – this is recommend way by LE developers.

We need: Linux distribution, ssh-access to our server or DNS records access.
Let’s Encrypt has the official client (warning: working only with Python 2.6): https://github.com/letsencrypt/letsencrypt

Git installation:

# dnf install git
// or
# apt-get install git

Clone Let’s Encrypt repository and run the client:

$ git clone https://github.com/letsencrypt/letsencrypt
$ cd letsencrypt
$ ./letsencrypt-auto --help

If you have Apache web server on Debian-based Linux Distribution, you can try the Apache module with automated renewal and installing:

./letsencrypt-auto --apache --server https://acme-v01.api.letsencrypt.org/directory --agree-dev-preview

-a manual flag can help you to generate certificates without installation.

You need to verify now your rights for the domain:

After verification you can find your certificate in /etc/letsencrypt/live/$domain. Please read the official documentation and remember for the 90 days validation.

Alternative wayletsencrypt-nosudo – helpful tool if you don’t have a superuser on your server. Requirements – openssl and Python.
Here is an example:

// generate the domain key & csr, account keypair and sign the domain csr
$ openssl genrsa 4096 > user.key
Generating RSA private key, 4096 bit long modulus
e is 65537 (0x10001)
tmmm: ~/letsencrypt-nosudo $ openssl rsa -in user.key -pubout > user.pub
writing RSA key
tmmm: ~/letsencrypt-nosudo $ openssl genrsa 4096 > domain.key
Generating RSA private key, 4096 bit long modulus
e is 65537 (0x10001)
tmmm: ~/letsencrypt-nosudo $ openssl req -new -sha256 -key domain.key -subj "/CN=tlhp.ml" > domain.csr
tmmm: ~/letsencrypt-nosudo $ python sign_csr.py --public-key user.pub domain.csr > signed.crt
Reading pubkey file...
Found public key!
Reading csr file...
Found domains tlhp.ml
STEP 1: What is your contact email? (webmaster@tlhp.ml) email@myemail.com
Building request payloads...
STEP 2: You need to sign some files (replace 'user.key' with your user private key).

openssl dgst -sha256 -sign user.key -out register_3a1iaw.sig register_ITC5IA.json
openssl dgst -sha256 -sign user.key -out domain_jchtaF.sig domain_pwoyVK.json
openssl dgst -sha256 -sign user.key -out challenge_4n2BsS.sig challenge_nRKyfd.json
openssl dgst -sha256 -sign user.key -out cert_N_lyFI.sig cert_hYuJbv.json

Press Enter when you've run the above commands in a new terminal window...
Registering email@myemail.com...
Already registered. Skipping...
Requesting challenges for tlhp.ml...

STEP 3: You need to sign some more files (replace 'user.key' with your user private key).

openssl dgst -sha256 -sign user.key -out response_BTE3Yg.sig response_P87FDi.json

Press Enter when you've run the above commands in a new terminal window...
STEP 4: You need to run this command on tlhp.ml (don't stop the python command until the next step).

sudo python -c "import BaseHTTPServer; \
    h = BaseHTTPServer.BaseHTTPRequestHandler; \
    h.do_GET = lambda r: r.send_response(200) or r.end_headers() or r.wfile.write('{\"header\": {\"alg\": \"RS256\"}, \"protected\": \"eyJhbGciOiAiUlMyNTYifQ\", \"payload\": \"ewogICAgInRscyI6IGZhbHNlLCAKICAgICJ0b2tlciI6ICJkbzVaWkMwMHVwZmNFD0tjeEhzOGNyS2FNaE02UFdBdTMtMnVwZ00zRG00IiwgCiAgICAidHlwZSI6ICJzaW1wbGVIdHRwIgp9\", \"signature\": \"Gp5V68da_XdC96piXs1YOhrv4USOQBNnhIL-CMmxvKSigmxAJ8z00xsgWS6nsYD8LPpMVa3GkXhb10qfbymPiWhtMpMYD31kMLFwgpHrY9xkiNP-WK9Zljz6L-WAzxCOmF1Ov71z_75iEJij86E2f9EmTjDlmDmGAjP9lziII42uyyjjIZg9claU1GtFZUrfXd-uNHHEGHFUpoyLHQcyWCP1T04Xx4q4dY51VeOJNOmIv9csIjkbOma7EqFMAHwYAplAUE45FQ5N9lJvpymD49BoEgQj_kjH-UPnxO3q0QB0i-MJJCiwQYAhMKV618jV9rNE181zJ1FRkX48knMzqoE4oG3yEFUg2D_vAdFG3VCuotnuxrZ7BEzDPWyEm0z8XakxWQW-xHSADtKWRr1qsQCy7qVsoAKnVFQ_1b4rAzET1YfrmhSH4MVhMB5n9tOnjtPQ0OsJVbf0oVLh5AC1rbXe68weOQExDVJgsk56x3FvvwrmdaLe2TnbPJmzpkYUf1OK88e8KmhVYb34veuY1luDOBJQyQ9fOAGZC0F-g7SpWg1lp3hQzf5enkycHMK-fNAfFH7r1m1Ej_CvUuxfBVhI0W8ANpFWL4r8PxTZeZzE6NO38MYgB9nrICiKJuuTQQbsXdjOm22QuxrG1XpWA-vQCtbk-L891Ko6MdAUMzQ\"}'); \
    s = BaseHTTPServer.HTTPServer(('', 80), h); \

Press Enter when you've got the python command running on your server...
Requesting verification for tlhp.ml...
Waiting for tlhp.ml challenge to pass...
Passed tlhp.ml challenge!
Requesting signature...
Certificate signed!
You can stop running the python command on your server (Ctrl+C works).

./signed.crt is your ready signed certificate.


Use Let’s Encrypt without SSH access

Sometimes users do’t have ssh-access for hosting services. Let’s Encrypt also works it this situation:

$ cd letsencrypt/
$ ./letsencrypt-auto certonly -a manual -d tlhp.cf -d www.tlhp.cf
// Make sure your web server displays the following content at
// http://www.tlhp.cf/.well-known/acme-challenge/o6CFnS4JSKX8dmhFecvS-mSe5-SEIiebINBbNonlTXU
// before continuing:

// o6CFnS4JSKX8dmhFecvS-mSe5-SEIiebINBbNonlTXU.zQq3dWt68mUpFNTXkNYEYBk3eA9khPzyy-nDsQUl3Ss

Ok, we need the http://www.tlhp.cf/.well-known/acme-challenge/o6CFnS4JSKX8dmhFecvS-mSe5-SEIiebINBbNonlTXU link with forced plain/text format. Going to your web-panel or connect over ftp and create these files in webroot/.well-known/acme-challenge/:

// The first file - force to plain/text format
$ cat .htaccess
ForceType text/plain

// The second file - for LE validator
$ cat o6CFnS4JSKX8dmhFecvS-mSe5-SEIiebINBbNonlTXU

Then press “Enter” in Let’s Encrypt client and get our certificates:

Congratulations! Your certificate and chain have been saved at /etc/letsencrypt/live/tlhp.cf/fullchain.pem.
Renew and revoke

If you get the Let’s Encrypt certificates and use it during 90 days – now time no renew. Run LE client in console with the same command that we described above.

If you need to revoke certificates:

$ cd letsencrypt/
$ letsencrypt revoke --cert-path example-cert.pem
Alternative Let’s Encrypt Clients

Some alternative clients potentially can simplify the procedure for obtaining certificates:



WoSign – Chinese certificate authority that gives a free SSl certificate for 1 year only. Registration and verification procedure is very easy (much more than Let’s Encrypt). For registration going to this url and set up the domain
name(s), your login and password:

After verification click on My Order and verify rights for your domain:

If verification is done, you will receive a certificate by mail. SSL certificate
installation instructions are here. My website also use the WoSign certificate – check in your browser:

Thanks for reading and happy setup! If you have some problems – feel free to write in comments.

P.S. I don’t recommend to use free StartSSL certificates (why?).

Read more:

Chrome OS 46 Review And Installation How-to – The Desktop Linux From Google With Biggest Commercial Success

systemd-networkd Migration and Benchmarks: Fast and Furious

Tor Messenger Review – Just Another Messenger or Light at The End of Privacy Tunnel?

Ubuntu, Fedora, Mint, Elementary and Others in One USB Flash – How To Create MultiUSB Drive

Programming with GNOME Builder: Review and Coding Practice