Parliament Hill Computers LtdParliament Hill Computers Ltd

How Let's Encrypt works

Let's Encrypt challenge/response

This is a description of how the challenge/response works.

The bot on the machine

The bot is asking Let's Encrypt to sign a certificate so that the viewer, via their web browser, can be sure that the content came from the machine at the specified URL. The browser can be sure of that since it trusts Let's Encrypt.

To discharge that responsibility Let's Encrypt needs to be sure that the bot that it is speaking to really is associated with your web site.

The challenge/response

The bot is challenged by Let's Encrypt to create a web page of arbitrary name and content. If it can do this then it must be running on the web server. The location of these web pages will be under /.well-known/acme-challenge/.

This is why some Apache configuration is needed before the certificates are signed — provide a directory that the bot can write to that will be visible via the web server.

DNS validation

Let's Encrypt also allow validation using DNS. If you control the DNS then you can make the web server be anything. I do not use this.

Let's Encrypt Certificate Chain

The Let's Encrypt certificate is now hard wired into most browsers. This means that cross signed certificates are no longer needed.

Next page: OpenSSL Certificate families and Let's Encrypt Accounts

Return to How to Configure Let's Encrypt with

Return to tutorial home.

If you want any help using the above, or have any comments or suggestions, please contact us.