Verbally Flimzy

Ramblings, Observations and Misconceptions

Praise for Let's Encrypt -- Free, automated SSL certificates

Posted on October 21, 2016

After a few weeks of not hacking one of my hobby projects, I decided to get back to it today, only to discover that the SSL certificate guarding it had expired. Being just a hobby project, it wasn’t important, but it was annoying.

But before I went to buy another $9.99 SSL certificate for the next year, I thought I’d try a new service I recently heard about at Matthew Holt’s talk at dotGo 2016. His talk was about a new protocol called ACME or Automatic Certificate Management Environment, and in particular, a Go library to use it. Watch his talk here.

But for now, suffice it to say that ACME promises to make getting SSL certificates easier, safer (no more chance to fat-finger your email address), and, perhaps best, free!

As I was in the market for a new SSL certificate, and that I didn’t want to pay $9.99 again, this seemed like the perfect time to try it out.

Let’s Encrypt logoAt the moment, there is one (and as far as I know, only one) SSL certificate provider using ACME. It’s called Let’s Encrypt, and is provided by the Internet Security Research Group, and sponsored by many well-known companies.

Set Up

So rather than digging through my emails from a year ago to see where to send money to renew my SSL certificate, I followed the simple Get Started instructions on the Let’s Encrypt web site. I followed their “With Shell Access” procedure, and installed CertBot, a small Python script to handle certificate registration and renewal for me.

On the server hosting my HTTPS site, I had to expose a directory to the world, for CertBot to use to validate that I own the domain. But this was as simple as adding a single vhost entry to my lighttpd config.

Once that was done, it was as simple as the documentation claims, to have my new SSL certificate.

Literally, in less time than it would have taken to generate a certificate request and fill out the order form, I had my certificate.

All that was left then was to point my server software to the new certificate files, which was as easy as you would imagine. If you’ve ever set up an HTTPS (or other SSL) service before, you already know how to do this.

Automated renewals

These free certificates are good for 90 days at a time. But it’s as easy as creating a cron job to auto-renew your certificates when they are nearing expiry. Another 2-minute job (all testing included) to have that up and running.

Next time you need an SSL certificate, I encourage you to check out Let’s Encrypt. I’d say it’s even easier than configuring a self-signed certificate in most cases, and far more secure!

Soon I’ll be adding Let’s Encrypt certificates to as many of my servers as possible. And not just HTTPS. I think I’ll replace all of my self-signed SMTPS certificates first…

Filed under: Linux security servers ssl