I’m writing this blog post because I just can’t hold in my excitement. Let’s Encrypt has just entered public beta!
For those who don’t know what I’m talking about, let me back up a little. SSL certificates are what give a website the mystical padlock of security. Let’s Encrypt is a new website certificate authority that’s backed by the biggest players on the internet. Among its’ sponsors are Mozilla (maker of the Firefox browser), Automattic (maker of the WordPress content management system), Cisco and Facebook. What’s so special? Let’s Encrypt is giving away security for free, for ever, and vastly simplifying and automating the process of getting that security.
If you followed the series of big security panics over the last few years, such as the Heartbleed vulnerability, you’ll know that certificates have had to be reissued at an irritatingly, time-wastingly often pace. If you’ve heard of Edward Snowden, you’ll know why major players on the internet are interested in promoting universal, ubiquitous, free-the-web kind of security. And don’t forget that the big search engines prefer sites with SSL.
Anyway, today the Open Beta launched, and I rushed in like a child waiting at the door of a candy store. As you might expect, I discovered that the beta program isn’t overly polished. Automatic installation and renewal seem to be out of reach for now (despite documentation to the contrary), at least on the web servers we most often use (Apache with Amazon Linux). But I was able to get some wonderfully free, fully trusted security certificates.
If you’re excited like me, read on as I give you the technical steps needed to get your free certificates. But reader beware: Let’s Encrypt is still a beta product. Don’t use this on a production server unless you also share my appetite for adventure.
Step one: SSH into your server and get the Let’s Encrypt client. I installed in the /opt directory, but you can install anywhere you like:
cd /opt
git clone https://github.com/letsencrypt/letsencrypt
Step two: Initiate a manual certificate request:
cd letsencrypt
sudo ./letsencrypt-auto --debug certonly --manual
The client will likely need to install a bunch of dependencies, and it’ll launch a screen that asks you for a few details about the certificate(s) needed. Then it’ll give you instructions to put a verification code on the website you’re securing. It’ll look like this:
Make sure your web server displays the following content at
{your-domain}/.well-known/acme-challenge/{verification-filename} before continuing:
{verification-code}
It’ll tell you to press ENTER to continue, but don’t press enter yet!
Step three: Open up another SSH terminal and simply drop the verification code into the specific location requested:
cd /{path-to-website}
.well-known/acme-challenge/
mkdir -p .well-known/acme-challenge
nano {verification-filename}
(paste the verification code and save the file)
Open up a browser and verify that hitting the specified URL does in fact display the verification code. You may need to set permissions on the file, depending on your webserver’s setup. Once you’ve got that verification code visible, go back to the first SSH terminal and hit enter. If you requested more than one domain or subdomain in the certificate, you’ll see the instructions displayed for each, and you’ll need to repeat step three as requested.
The client should now have some warm, congratulatory text on screen. It’ll tell you where your certificate is located on your server. Hurray! You now have a free, completely trusted 90-day certificate for use on your website. You’ll be able to renew your certificate in three months by repeating steps two and three. In fact, the certificate will even be replaced in the same location with the same filenames, so you won’t need to fiddle with swapping configurations on your web server.
As you can see it’s not exactly a laborious process – it’s pretty quick, in fact. But it is a manual process. I’m betting (hoping) that in three months, the Let’s Encrypt client will have become a lot more robust. Fingers crossed for automatic renewals. I don’t know about you, but I’m ready to say goodbye to the arcane, overly expensive, time-intensive certificate authorities that currently run security on most of the web. That’s definitely something to be excited about.