Ideally you should always run a scan on your SSL to ensure it is configured correctly.<p>This is a great scanner and is free: <a href="https://www.ssllabs.com/ssltest/analyze.html" rel="nofollow">https://www.ssllabs.com/ssltest/analyze.html</a>
I was going to ask about browser trust but their FAQ (<a href="https://community.letsencrypt.org/t/frequently-asked-questions-faq/26" rel="nofollow">https://community.letsencrypt.org/t/frequently-asked-questio...</a>) addressed it. If others are curious:<p>> Are certificates from Let’s Encrypt trusted by my browser?<p>The short answer is “yes”.<p>The long answer is that our issuing intermediates are cross-signed by a widely trusted IdenTrust root531. This allows our certificates to be trusted while we work on propagating our own root. Most platforms that trust that root should trust Let's Encrypt certs. One notable exception is Windows XP, which currently doesn't accept our intermediate630.
I've built a small Ansible role to generate a certificate and configure it for automatic monthly renewal.<p>It isn't really set up to handle all possible scenarios, so I only made it available as a gist as opposed to a full role available in the Ansible Galaxy. For example, it expects an Apache virtual host to be configured already instead of allowing Let's Encrypt handle it - I do this in another role specifically set up to handle Apache.<p><a href="https://gist.github.com/JamesChevalier/a5d78be0febfe505a7e5" rel="nofollow">https://gist.github.com/JamesChevalier/a5d78be0febfe505a7e5</a>
The configuration listed unfortunately doesn't work for the www version of the domain - Let's Encrypt requires individual certificates for the naked domain and each subdomain, including www.<p>Nginx configuration needs to handle the two (or more, depending on subdomains) certificates.<p>Let's Encrypt is a great initiative and hope that they can support nginx auto-renewal!
How do I get this to work on a shared webserver? I don't have root and need a cert I can upload on their backend system, so more than 90 days would be a requirement.