Using Let's Encrypt for SSL/TLS Certificates for Apache 2.2, Postfix 2.9 and Dovecot 2.0 on Ubuntu 12.04

by Daniel Convissor at 2015-12-21 09:17:00

I've been using StartSSL for low level, free TLS certificates for a few years. Their interface and processes are a bit clunky (though I see they're coming out with a new website this weekend). More problematically, they wouldn't renew a free cert for my community garden's domain because the site has a link for making donations via PayPal.

I recently heard of Let's Encrypt, a new, open source, free certificate authority. It's got big name backers like Mozilla, EFF, Automatic and many more. The API system allows users to easilty automoate the process. They went into public beta mode earlier in the month.

One of my TLS certificates was coming up for renewal, so I figured it was worth a shot. I'm glad I did.

I ran into a few roadblocks using the "apache" plugin, so I used the "webroot" plugin which is slightly less automagical. After using it, I realized a little shell script would help simplify the process. Also, Let's Encrypt is pretty lax with file permissions (I was able to read the private keys from my regular user account!) so my instructions and shell script lock things down.

Get the Software and Certs

All shell commands in this tutorial assume you're running as root. So start off by making that so, then installing my shell script.

sudo -i

mkdir -p -m 755 /usr/local/src
cd /usr/local/src

git clone
cd call_letsencrypt
chmod 744

# Edit the "email" variable in the script.
# Use whatever editor you want.  As you see, I use vim.
git commit -am 'My settings'

cd /usr/local/sbin
ln -s /usr/local/src/call_letsencrypt/

Next, ensure regular users can't get at the data, then install the Let's Encrypt scripts in /root

mkdir -m 700 /etc/letsencrypt

git clone

Execute my script for the core domain names and tighten up permissions some more.

find /etc/letsencrypt -type d -exec chmod 700 {} \;

Use the New Certs


SSLCertificateFile /etc/letsencrypt/live/
SSLCertificateChainFile /etc/letsencrypt/live/
SSLCertificateKeyFile /etc/letsencrypt/live/


smtpd_tls_cert_file = /etc/letsencrypt/live/
smtpd_tls_key_file = /etc/letsencrypt/live/


ssl_cert = </etc/letsencrypt/live/
ssl_key = </etc/letsencrypt/live/

Reload Services

service apache2 reload
service dovecot reload
service postfix reload

Renew the Certs Automatically

Certificates from Let's Encrypt expire in 90 days. Renewing them is as easy as adding a cron job that gets called every other month. So call crontab -e and put the following in there.

5 4 3 */2 * /usr/local/sbin/ -adp

Tags: encryption, apache, postfix, ubuntu

View all posts

Email me a comment:

(I'll append it here when I get a chance.)