Issuing free HTTPS certificate with Let’s encrypt
March 14, 2016
For a decade, the process of issuing HTTPS certificate and setting up it for the server is a little complex, and well, expensive.
That process is an obvious obtacle that slowing down the web’s migration from HTTP protocol to HTTPS protocol, and keeps websites and users at risks of MITM attacks as well as some sort of vulnerabilities.
Fortunately, some very good guys at Let’s encrypt, with huge support from big companies such as Google, Facebook, make a couple of action to make the mentioned process so easy. Actually, issuing a HTTPS certificate now is just a matter of clicks, and FREE
From the website:
The key principles behind Let’s Encrypt are:
- Free: Anyone who owns a domain name can use Let’s Encrypt to obtain a trusted certificate at zero cost.
- Automatic: Software running on a web server can interact with Let’s Encrypt to painlessly obtain a certificate, securely configure it for use, and automatically take care of renewal.
- Secure: Let’s Encrypt will serve as a platform for advancing TLS security best practices, both on the CA side and by helping site operators properly secure their servers.
- Transparent: All certificates issued or revoked will be publicly recorded and available for anyone to inspect.
- Open: The automatic issuance and renewal protocol will be published as an open standard that others can adopt.
- Cooperative: Much like the underlying Internet protocols themselves, Let’s Encrypt is a joint effort to benefit the community, beyond the control of any one organization.
Usages
- Install let’s encrypt following the official guide
- Open terminal, navigate to the installed directory
- $ ./letsencrypt-auto certonly –rsa-key-size 4096 –standalone –email [YOUR-EMAIL-ADDRESS] -d [YOUR-DOMAIN-NAME]
- In which, you need to insert your email address and domain nam,
- 4096 bit is recommended to generate rsa-key (2048 is OK)
- DONE!
- Your certificate is now available at /etc/letsencrypt/live/[YOUR-DOMAIN-NAME]
- Inside this directory, you should find 4 files:
cert.pem chain.pem fullchain.pem privkey.pem
- Use those files to configure your webserver of choice. I recommend you navigate to Mozilla’s webserver configuration generator page to have a solid SSL configuration.
Trouble shooting
- One of the most important ideas of let’s encrypt is it’s automate process of issuing HTTPS certificate. Which mean you mostly acquiring and renewing certificate by command-line interface. For that purpose, you need to make sure your server’s port 443 is open. Many users have issues with this, without knowing what we need to do is open port 443 to communicate with Let’s encrypt server.
- Let’s encrypt has a very reasonable rule is that the generated certificate is just valid for 3 months. So you need to renew it every 3 months or little sooner. I recommend you to have a cron job to renew certificate for every 2 months as I did:
- $ ./letsencrypt-auto renew
For the troubles while using let’s encrypt and further discussion, find me on email tuan_nh@septeni-technology.jp. In a coming article, I will show you all how I setup Let’s encrypt client with Ansible module, and integrate the whole process of issuing/renewing/configuring HTTPS certificates with nginx and Ansible module.