Published on August 15th, 2017 | by Manish Gehlot


How to obtain a secure Let’s Encrypt signed TLS certificate for your domain name or multiple host names at no cost?

An easy to remember domain name or host name to reach your Linux server is a must and equally significant is a secure TLS certificate to encrypt your communications to and from your Linode Linux server.

Free domain names are available at or you can get yourself a hostname from a Dynamic DNS (DDNS) provider like if you do not require a proper domain name.


Obtain a secure 4096-bit RSA or 384-bit ECDSA TLS certificate for a single domain name or multiple host names from Let’s Encrypt.


  • A Linux Server
  • Root access or a user account with sudo access to the same
  • Very basic understanding of GNU/Linux command line and administration.
  • (Optional) Zeal and determination to encrypt the communications.
  • A valid domain name or Dynamic DNS host name with its A and/or AAAA record pointing to the above Linux server

This guide has been tested on my favourite Debian Stable (Stretch) but would work equally well on other GNU+Linux distributions including but not limited to Ubuntu, CentOS, Arch, Gentoo, OpenSUSE, Fedora etc with nil or negligible changes.

Let’s roll.

A. Installing a Let’s Encrypt SSL/TLS certificate client

My choice of client for Let’s Encrypt CA is an ACME Shell script:, the simplest, easiest & smartest shell script to obtain free SSL/TLS certificates from Let’s Encrypt. It is vanilla Shell script with zero dependencies on additional packages or even official Let’s Encrypt client. It also has out of the box support for ECDSA certs.

To install, do as follows once you have gained root or sudo access:

# wget -O - | sh


# curl | sh

Upon successful installation, you would receive a message as follows on screen:

[Sun Aug 13 12:50:12 EDT 2017] Install success!

Set to automatically upgrade, so you don’t have to worry about it later:

# --upgrade --auto-upgrade

B. Obtaining a secure TLS certificate for your domain name or multiple host names

Before we issue secure TLS cert(s), make sure Port 80/tcp is open in your Linux server’s firewall and free to listen. If not then do so.

1. 384-bit ECDSA TLS certificate (Recommended because it’s a more secure algorithm at even lower bitrates for starters)

In order to issue a secure ECDSA TLS certificate for your single domain name do as follows:

# --issue --standalone -d --keylength ec-384

The above command would generate/issue certs which will be placed in ~/

SAN certificate (A certificate with multiple host names) is highly advised in most cases.

In order to issue a SAN certificate do as follows:

# --issue --standalone -d -d -d -d -d --keylength ec-384

This would issue a single SAN certificate that is valid for all the host names mentioned therein. I recommended SAN cert with multiple host names in every case except when you are using a single host name by DDNS provider.

See, if you only issue a TLS certificate for then the issued cert is not valid for and vice-versa, which is not desirable. Hence, always remember to add www.domain.tld to your TLS certificate along with domain.tld unless otherwise specifically required.

2. 4096-bit RSA TLS certificate

In order to issue a secure RSA TLS certificate for your single domain name do as follows:

# --issue --standalone -d --keylength 4096

The above command would generate/issue key/cert pair will be placed in ~/

For SAN certificate:

# --issue --standalone -d -d -d -d -d --keylength 4096

3. Running Apache/Nginx already?

If you are running a web server, Apache or Nginx, it is recommended to use the Webroot mode instead of the above Standalone mode. Standalone mode is only recommended when you do not run applications on your Linux server that accommodates Port 80/tcp or 443/tcp actively making it unavailable to listen.

Apache mode

In order to issue a 4096-bit RSA TLS certificate in Apache mode:

# --issue --apache -d -d --keylength 4096

To issue a 384-bit ECDSA TLS certificate:

# --issue --apache -d -d --keylength ec-384

Nginx mode

In order to issue a 4096-bit RSA TLS certificate in Nginx mode:

# --issue --nginx -d -d --keylength 4096

To issue a 384-bit ECDSA TLS certificate:

# --issue --nginx -d -d --keylength ec-384

C. TLS certificate renewals

Well, It is….. @#$%!
How do I explain? Never mind.

Just forget about manual renewals. hehe.

The beauty of is that it automatically handles the domain renewals for you. TLS certs issued will be renewed every 60 days by this free certificate client for Let’s Encrypt.

That being so, if needed you can manually force a renewal as follows:

For RSA certs:

# --renew -d --force

For ECDSA certs:

# --renew -d --force --ecc

D. Revoking your TLS certificate and further help

There are times when you might want to revoke your secure TLS certificate.

You can always revoke issued TLS certificate(s) as follows:

For RSA:

# --revoke -d


# --revoke -d --ecc

Further help regarding syntax or any other option can be easily obtained from a well-written help file:

# -h

Congrats! You have successfully generated a secure ECDSA/RSA TLS certificate for your domain name or multiple host names for free.

Thanks for reading! Suggestions and comments invited.

Tags: , , , , , , , , , , ,

About the Author

I am a privacy, security, encryption and software freedom enthusiast. I am into VPNs, TLS security. Recently I also got into technical writings. I am working as a VPN support and consultant at some nordic VPN providers.

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to Top ↑