Secure your website with Let’s Encrypt

Let’s Encrypt is a free certificate authority (link, link). It allows making your website available as https// at no cost. Unencrypted websites are being phased out or at least penalized by browsers making the need for a free alternative to paid authorities all the more urgent. Since August 2018 the Let’s Encrypt root is trusted by all other mayor roots.

The ACME protocol (Automated Certificate Management Environment) is responsible for setting up the communication between the certificate authority and the web server hosting the domain. Let’s Encrypt suggests the Certbot ACME client (Python based) (link, link) but installation on Centos failed:

Operating system
cat /etc/*elease
CentOS Linux release 7.4.1708 (Core)
NAME="CentOS Linux"
VERSION="7 (Core)"
ID_LIKE="rhel fedora"

sudo yum install python2-certbot-apache
No package python2-certbot-apache available.
Error: Nothing to do

Difficulties have been noted before (link, link)

ACME PHP is an alternative (link, link). Installation is straightforward:

As local user

php -r "copy('', 'acmephp.phar');"
php -r "copy('', 'acmephp.phar.pubkey');"

php acmephp.phar –version
Acme PHP – Let’s Encrypt client 1.0.1

As per the documentation (link) the next step is generation of a configuration yml file:

cat config.yml

country: NL
locality: Eemnes
organization_name: companyname
solver: http

– domain:

Running this command in this procedure check

php acmephp.phar run config.yml


Solving challenge for domains...
In InstanceProfileProvider.php line 88:
Error retrieving credentials from the instance profile metadata server.

This must be a bug, the domain challenge started without setting it up in the first place.  But the authentication step can also be done separately.  If the domain challenge is to be solved via http the authority expects a specific file on the web server in order to prove you own the domain:

php acmephp.phar authorize

Loading account key pair…
Requesting an authorization token for domains …
The authorization tokens was successfully fetched!
Solving authorization challenge for domain {“domain”:””,”challenge”:{“domain”:””,”status”:”pending”,”type”:”http-01″,”url”:”……..854″,”token”:”esM0……U”,”payload”:”esM……..Rc”}}
Create a text file accessible on URL………U
containing the following content:


The use of the “.well-known” directory is explained here where it is also noted that some webserver configurations do not allow directories starting with a dot. As this was the case in this procedure check (link, link) DNS was used as a solver instead:

php acmephp.phar authorize --solver dns
Loading account key pair...
Requesting an authorization token for domains ...
The authorization tokens was successfully fetched!
Solving authorization challenge for domain {"domain":"","challenge":{"domain":"","status":"pending","type":"dns-01","url":"","token":"u8HEZ.........LVE","payload":"u8H...........vqRc"}}
Add the following TXT record to your DNS zone
TXT value: 2plz.............iwlI

Check DNS

host -t TXT descriptive text "2plzW..............yiwlI"

php acmephp.phar check -s dns
Loading account key pair...
Loading the order related to the domains ...
Loading the authorization token for domains ...
Testing the challenge for domain
Requesting authorization check for domain ...

The authorization check was successful!

You are now the proved owner of those domains

Now the certificate can be requested

php acmephp.phar request

After filling out the usual certification questionnaire the required files are created. For a basic ssl installation (for example in a DirectAdmin control panel) required are the following files:


The ssl encryption for works instantaneously.

Update January 2019: according to this report letsencrypt facilitates DNS hyjacking