Arch manual pages

LEFH(1) General Commands Manual LEFH(1)

lefh - Let's Encrypt for Hiawatha

lefh [options]
Options: register: Register your account key at the Let's Encrypt CA. request <hostname> [<cert.pem>]: Request new certificate for website. expire: show number of days left before certificate expires. renew [restart]: Renew the almost expired Let's Encrypt certificates in Hiawatha's certificate directory. revoke <cert.pem>: Revoke the certificate. version: Show version information.

The Let's Encrypt script for the Hiawatha webserver can be used to request, renew and revoke certificated as provided by Let's Encrypt in a very easy way. It requires the PHP command line interface and uses version 2 of the ACME protocol to communicate with the Let's Encrypt server.

Start by editing the file ~/.letsencrypt/letsencrypt.conf and change the settings according to your needs. This file will be created when you run the letsencrypt script for the first time. At least, you need to change the e-mail address to use the tool.

Before you can request a certificate, you need to register an account at the Let's Encrypt CA. You can do this via the command: letsencrypt register

When running the tool for the first time, it will create a Let's Encrypt account key. Make sure you make a backup of this account.key file.

You can request a website certificate via: letsencrypt request <hostname> A virtual host for <hostname> must be present in the webserver configuration and you must have write access rights to its website root. The <hostname> must be the first hostname for that virtual host. All other hostnames will be used as alternative hostnames for the certificate. Wildcards are supported by Let's Encrypt, but the can only be obtained via DNS challenges. Because that's not an option for this script, they will not be used as an alternative name in the certificate. Unless you specify a filename as the third parameter, the requested certificate will be stored in the file <hostname>.pem. When requesting a Let's Encrypt certificate, make sure your website is reachable via HTTP (port 80). This is necessary because the Let's Encrypt CA will request a file from it, which the script will create in the webroot in order to prove you are the owner of that website.

After properly testing, open letsencrypt.conf, comment the testing CA hostname (the LE_CA_HOSTNAME setting), uncomment the production CA hostname, register your account key at the production server and request the final version of your website certificate.

Certificates will be written to a file in the directory of this script. If you run the script as user root, the certificate will be written to the directory configured via the HIAWATHA_CERT_DIR setting.

To automatically renew certificates that are about to get expired, run the letsencrypt tool with the parameter 'renew' as a cronjob of the user root. Add the parameter 'restart' to automatically restart the webserver when one or more certificates have been renewed. All certificates located in the HIAWATHA_CERT_DIR directory and those referred to in the webserver configuration will be renewed.

You can run a script when the certificate of a host is renewed. Create a script in the RENEWAL_SCRIPT_DIR directory and give it the name of the hostname for which it must be run. That script will be executed upon renewal of the matching certificate.

lefh is part of the Hiawatha webserver. See hiawatha(1) for more information about Hiawatha.

Hugo Leisink <> -