Create Let’s Encrypt certificates manually

This was the week I’ve been waiting for. After my webspace was running on a old DOMAINbox system, Host Europe moved my existing webspace to a new platform to finish the integration of
the existing DOMAINbox customers. I had to fix ehmm reconfigure my website to work again. While this I’ve get used to “KIS”. It’s Host Europes management portal. I found a option that will allow me to installl my own SSL certificate. Hell yeah I could buy a certificate from Host Europe but I’ve heard about Let’s Encrypt, where I can get certificates for free. I liked the idea behind this project and decided to test it.

Foundation of this project is the Certbot. Its a program which has implemented the ACME protocol to automate the creation of certificates. Certbot creates crypto files with crypto filecontent to make sure that you have access to server. The Let’s Encrypt system will check this files and creates the certificates.

In my basic webhosting package I have no shell access and cannot run Certbot. This is the reason why I need to invest a little more work. I installed Certbot on my MacOS Sierra. The additional steps in this setup are creating verification files by myself and install later the certificate on my webspace. I have not found a good tutorial how to do this and now you read one.

First of all I need to install Xcode on my Mac, if it is not already installed. You can download Xcode from Apples App Store (Click here). After installing Xcode you need to accept the license agreement. You can start the Xcode program or just use this little command in a terminal:

sudo xcodebuild -license accept

Certbot for MacOS was packaged via Homebrew. In this step wie will install Homebrew. This can be done via this command:

/usr/bin/ruby -e "$(curl -fsSL"

Now we can install Certbot with this command:

brew install certbot

Now the preparations are done. The needed software is on my Mac and we can start to create the certificates. You need to specify several parameters. One certificate can be used for several domains. With parameter “-d” I’ve added my domain with and without www in front. This and all following steps can be done on other platforms e.g. LInux, too.:

sudo certbot certonly --manual -d -d --manual-public-ip-logging-ok

Performing the following challenges:
 http-01 challenge for
 http-01 challenge for

For each domain, I’ve added, the Certbot showed me an filename and filecontent we needed to create on our webserver to show that the system is under my control. I’ve created this files via FTP client:

Make sure your web server displays the following content at before continuing:
Press Enter to Continue 

After this is done, we need to press “Enter”. We get this dialog for every domain added via “-d”. In the next step the files will be checked and if everything is checked Let’s Encrypt will generate our certificate.

Waiting for verification...
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/0000_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0000_csr-certbot.pem
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/ Your cert will
   expire on 2017-04-28. To obtain a new or tweaked version of this
   certificate in the future, simply run certbot again. To
   non-interactively renew *all* of your certificates, run "certbot
 - If you like Certbot, please consider supporting our work by:
   Donating to ISRG / Let's Encrypt:
   Donating to EFF:          

Now we can find our certificates in the folder /etc/letsencrypt . This folder is not accessable via normal user. I have copied and changed ownership of the files to my user to access this files. Here are my steps i’ve done:

sudo cp -r /etc/letsencrypt/ /Users/marco/Documents/sslcert
cd /Users/marco/Documents/sslcert
sudo chown marco *

OK, next step is to add my certificate in my webspace configuration. As a Host Europe customer I have an administration console called KIS. I selected to install the certificate to my domain. As certificate I used “live/”. As private key I used the file “live/”. Password and CA are optional. I installed at the CA the intermediate certificate. I have done this only to be sure that it works. But it should work without it.

4 thoughts on “Create Let’s Encrypt certificates manually

  1. Christina

    Vielen Dank für diese Anleitung! Nachdem ich bei meinem Anbieter zwar Konsolenzugriff aber keine root-Rechte habe, muss ich wie du das Zertifikat lokal erzeugen. Ich hatte schon eine ganze Weile herumgesucht, und alle Anleitungen, die ich bisher gefunden hatte, wurden vom Webserver ausgeführt, auf den der DNS-Eintrag der Domain zeigt. Ich dachte schon, das wird nichts mehr, bis ich auf deinen Artikel gestoßen bin.

    Ich verwende dazu Ubuntu Linux, und hier lautet der Befehl “certbot-auto” statt “certbot”, d.h. es sieht so aus (ausgeführt als root):

    ./certbot-auto certonly –manual -d –manual-public-ip-logging-ok

    Viele Grüße

    1. Marco Horstmann Post author

      Hi Christina, danke für deinen Kommentar. Ich bin bisher nur dazu gekommen das auf meinem Mac zu testen und
      freue mich grade, dass mit deinem Kommentar nun auch Linux Anwender den passenden Befehl finden.

  2. Daniel

    Ich habe Deinen Artikel für Domains bei HE als Vorlage verwendet. Danke dafür 🙂

    Jetzt musst eich noch eine Domain ergänzen. In der Doku ist der –expand-Befehl zum hinzufügen einer zusätzlichen Domain etwas undeutlich beschrieben. Hier steht aber alles, was man braucht:

    In unserem Fall sähe so ein Befehl dann so aus:

    sudo certbot certonly –manual –expand -d -d -d

    Vielleicht hast Du ja Lust, das in Deinem Artikel zu ergänzen.

    1. Marco Horstmann Post author

      Danke werde ich machen, mein Sohn hat mich momentan so auf trab gehalten dass ich die letzten 2,5 Monate hier nix mehr gemacht habe.


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.