Using Let's Encrypt SSL certificate with Pound

:: Let's Encrypt certificates have a particular advantage over its competitors – it can be #automatically renewed. When you manage a lot of servers, this can be a serious time-saving feature.

Pound is a very lightweight reverse-proxy software, which can also act as a SSL endpoint. Means that it will accept the encrypted (HTTPS) traffic, decrypt it, and then forward the result to the webserver at the backend. It's quite helpful to offload this from the webserver.

Here's how to do both (auto-renew Let's Encrypt SSL certificate on Pound), starting from a configuration snippet for /etc/pound/pound.cfg :

Port 443
AddHeader ""X-Forwarded-Proto: https""
HeadRemove ""X-Forwarded-Proto""
HeadRemove ""X-Forwarded-For""

Cert "/etc/letsencrypt/live/"

### avoid poodle security attack
Disable SSLv3
Disable SSLv2

### hardening SSL with strong ciphers, disabling weak ones

SSLAllowClientRenegotiation 0
SSLHonorCipherOrder 1


That config should be able to score (at least an) A from Qualys SSL Labs' website :

Here's the script to do the auto-renewal, don't forget to set the cronjob so this is run twice every day on off-peak times :


# renew certificate
/root/tools/certbot/certbot-auto renew

# merge private key with certificate
# to make it readable by Pound

cp /etc/letsencrypt/live/ /etc/letsencrypt/live/

cat /etc/letsencrypt/live/ >> /etc/letsencrypt/live/

# restart Pound
/etc/init.d/pound restart

Have fun with these !


(1) Eko Juniarto for suggesting to restart Pound after the renewal process.

(2) Fahri Reza for informing that Let's Encrypt advocates running auto-renewal not once – but twice a day. Eg: in case of an emergency, etc

Post imported by Google+Blog for WordPress.

7 thoughts on “Using Let's Encrypt SSL certificate with Pound

  1. thank you for the information is be very useful.

    Come join us and get the big prize that awaits you, do not miss a great bonus that awaits you only in

  2. It?¦s really a great and useful piece of info. I am satisfied that you simply shared this useful info with us. Please keep us up to date like this. Thank you for sharing.

Leave a Reply

Your email address will not be published. Required fields are marked *