Root projectGreenlock™ for Web Servers | a
Free SSL, Free Wildcard SSL, and Fully Automated HTTPS made dead simple
certificates issued by Let's Encrypt v2 via ACME
- Commandline (cli) Certificate Manager (like certbot)
- Integrated Web Server
- Free SSL Certificates
- Automatic certificate renewal before expiration
- One-off standalone registration / renewal
- On-the-fly registration / renewal via webroot
Mac & Linux
Open Terminal and run this install script:
curl -fsS https://get.greenlock.app/ | bash
This will install greenlock to
/opt/greenlock and put a symlink to
/usr/local/bin/greenlock for convenience.
You can customize the installation:
export NODEJS_VER=v8.11.1export GREENLOCK_PATH=/opt/greenlockcurl -fsS https://get.greenlock.app/ | bash
This will change which version of node.js is bundled with greenlock and the path to which greenlock installs.
Windows & Node.js
- Install node.js
- Open Node.js
- Run the command
npm install -g greenlock-cli
We have a few different examples of issuing SSL certificates:
- Standalone (testing): Issue a one-off certificate
- Webroot (production): Automatic certificate renewal for Apache, Nginx, HAProxy, etc
- Manual (debugging): Go through the certificate proccess step-by-step
Important Note: Staging vs Production
Each of these examples are using the staging server.
Once you've successfully gotten certificates with the staging server
you must delete
rm -rf ~/acme) and then
switch to the production server.
--acme-version draft-11 --server https://acme-v02.api.letsencrypt.org/directory \
primarily for testing
You can run in standalone mode on your server and get a cert instantly.
Note: No other webserver may be running at the time (use Webroot mode for that).
sudo greenlock certonly --standalone \--acme-version draft-11 --acme-url https://acme-staging-v02.api.letsencrypt.org/directory \--agree-tos --email email@example.com --domains example.com,www.example.com \--community-member \--config-dir ~/acme/etc
for testing and production
With this method you must use your existing http (port 80) server (Apache, Nginx, HAProxy, etc).
You will specify the path or template path to your
- I want to get an SSL cert for
- I would use this command:
sudo greenlock certonly --webroot \--acme-version draft-11 --acme-url https://acme-staging-v02.api.letsencrypt.org/directory \--agree-tos --email firstname.lastname@example.org --domains example.com \--community-member \--root /srv/www/example.com \--config-dir ~/acme/etc
Now let's say that
- I have many sites in
/srv/www/, all by their name
- I already store my ssl certs in the format
- I'll run this command instead:
sudo greenlock certonly --webroot \--acme-version draft-11 --acme-url https://acme-staging-v02.api.letsencrypt.org/directory \--agree-tos --email email@example.com --domains example.com,whatever.com,foobar.net \--community-member \--root "/srv/www/:hostname" \--privkey-path "/etc/apache/ssl/:hostname/key.pem" \--fullchain-path "/etc/apache/ssl/:hostname/ssl.crt" \--config-dir ~/acme/etc
Run with cron
Those commands are safe to be run daily with cron. The certificates will automatically renew 2 weeks before expiring.
primarily for debugging
The token (for all challenge types) and keyAuthorization (only for https-01)
will be printed to the screen and you will be given time to copy it wherever
(file, dns record, database, etc) and the process will complete once you hit
sudo greenlock certonly --manual \--acme-version draft-11 --acme-url https://acme-staging-v02.api.letsencrypt.org/directory \--agree-tos --email firstname.lastname@example.org --domains example.com \--community-member \--config-dir ~/acme/etc
Then you can see your certs at
~/acme/etc/ └── example.com ├── cert.pem ├── chain.pem ├── fullchain.pem (Apache, Nginx, node.js) ├── privkey.pem (Apache, Nginx, node.js) └── bundle.pem (HAProxy)
Run without root (no sudo)
sudo is used to allow greenlock to use port 80 and write to httpd-owned directories.
Allow greenlock to bind on system ports without root:
sudo setcap cap_net_bind_service=+ep /opt/greenlock/bin/node
To allow greenlock to write to folders owned by another user, set it to run as that user.
Otherwise, you can change the permissions on the folders, which is probably a BAD IDEA. Probabry a security risk. But since some of you are going to do it anyway I might as well tell you how:
# PROBABLY A BAD IDEA sudo chown -R $(whoami) /etc/ssl /etc/acme
Command Line Options
Usage: greenlock [OPTIONS] [ARGS] Options: --acme-version [STRING] 'draft-11' for Let's Encrypt v2 or 'v01' for Let's Encrypt v1. (default: null) --acme-url [URL] Directory URL for ACME API. Let's Encrypt URLs are: draft-11 https://acme-staging-v02.api.letsencrypt.org/directory https://acme-v02.api.letsencrypt.org/directory v01 https://acme-staging.api.letsencrypt.org/directory https://acme-v01.api.letsencrypt.org/directory --email EMAIL Email used for registration and recovery contact. (default: null) --agree-tos BOOLEAN Agree to the Let's Encrypt Subscriber Agreement --community-member Submit stats to and receive updates from Greenlock --domains HOSTNAME Domain names to apply. For multiple domains you can enter a comma separated list of domains as a parameter. (default: ) --renew-within [NUMBER] Renew certificates this many days before expiry. (default: 10) --cert-path STRING Path to where new cert.pem is saved (Default is :conf/live/:hostname/cert.pem) --fullchain-path [STRING] Path to where new fullchain.pem (cert + chain) is saved (Default is :conf/live/:hostname/fullchain.pem) --chain-path [STRING] Path to where new chain.pem is saved (Default is :conf/live/:hostname/chain.pem) --bundle-path [STRING] Path to where new bundle.pem (fullchain + privkey) is saved (Default is :conf/live/:hostname/bundle.pem) --domain-key-path STRING Path to privkey.pem to use for domain (default: generate new) --account-key-path STRING Path to privkey.pem to use for account (default: generate new) --config-dir STRING Configuration directory. (Default is ~/letsencrypt/etc/) --http-01-port [NUMBER] Use HTTP-01 challenge type with this port, used for SimpleHttp challenge. (Default is 80) (must be 80 with most production servers) --dns-01 Use DNS-01 challenge type. --standalone [BOOLEAN] Obtain certs using a "standalone" webserver. (Default is true) --manual [BOOLEAN] Print the token and key to the screen and wait for you to hit enter, giving you time to copy it somewhere before continuing. (Default is false) --debug BOOLEAN show traces and logs -h, --help Display help and usage details
Certbot Command Line Options
These options are maintained for compatability with certbot:
--server [STRING] ACME Directory Resource URI. (Default is https://acme-v01.api.letsencrypt.org/directory)) --duplicate BOOLEAN Allow getting a certificate that duplicates an existing one/is an early renewal. --webroot BOOLEAN Obtain certs by placing files in a webroot directory. --webroot-path STRING public_html / webroot path.
Note: some of the options may not be fully implemented. If you encounter a problem, please report a bug on the issues page.
Legal & Rules of the Road
Greenlock™ and Bluecrypt™ are trademarks of AJ ONeal
The rule of thumb is "attribute, but don't confuse". For example:
Please contact us if you have any questions in regards to our trademark, attribution, and/or visible source policies. We want to build great software and a great community.