Skip to content
Adam Learns notes

Let's Encrypt

Created: 2022-04-06 19:33:55 -0700 Modified: 2022-04-06 19:46:35 -0700

(kw: letsencrypt, let’sencrypt)

Basic setup with a cloud VM

Section titled Basic setup with a cloud VM

I ran these instructions when I wanted to set up https:// and wss:// servers on a GCP VM. They come from here. It involves CertBot. This should not take a long time to set up as long as you follow the instructions and know how to let Let’s Encrypt hit your machine without the firewall stopping it.

  • sudo apt install snapd
  • Restart your session (I killed all screen windows)
  • sudo snap install core
  • sudo snap install hello-world
  • hello-world
  • sudo snap install core; sudo snap refresh core
  • sudo snap install —classic certbot
  • sudo ln -s /snap/bin/certbot /usr/bin/certbot 
    # The following is only because of my specific setup so that I wouldn't have to set my PATH for my sudo user. Unalias it if you run into any issues like "env: No such file or directory".
    alias sudo='sudo env PATH=$PATH'
  • sudo certbot certonly —standalone
    • Try with —test-cert first so you don’t blow through your rate limit of 5/hour
    • It will automatically start its own webserver to serve the well-known challenge file (something like http://example.com/.well-known/acme-challenge/j-krWDwSwXmVk2OeCrNZyAYHXZO0y_u7Ul7OjOmkhns). Do not try serving this yourself! CertBot will handle it for you. If it can’t connect, then you may have to open firewall ports, change iptables, change your nginx configuration, etc. This is why you should use “—test-cert” at first, but remove the flag once you’ve confirmed it works.
  • From here, you’ll get cert.pem and key.pem files in /etc/letsencrypt (check the output of CertBot to see exactly where they were put). You can easily use these to start an https:// server, even for websockets (see this example. Note that I didn’t have to handle “upgrade” events at all for the April Fool’s 2022 code, although I don’t have it anymore since I only wrote it on the VM that I terminated).

Troubleshooting

Section titled Troubleshooting

UNABLE_TO_GET_ISSUER_CERT_LOCALLY

Section titled UNABLE_TO_GET_ISSUER_CERT_LOCALLY

This happens when the certificate doesn’t chain to a trusted authority. In other words, you almost certainly tried using a —test-cert certificate when you meant to use a production one.