A few days ago I got my invitation to Let’s Encrypt Beta Program. For those of you who are not familiar with Let’s encrypt:
Let’s Encrypt is a new free certificate authority, built on a foundation of cooperation and openness, that lets everyone be up and running with basic server certificates for their domains through a simple one-click process.
This short tutorial is intended to get you up and running with your own Let’s Encrypt signed certificates.
The first thing is to get the Let’s Encrypt client:
git clone https://github.com/letsencrypt/letsencrypt
cd letsencrypt
The main command we will be working with is ./letsencrypt-auto
. The first time you will run it, it will also ask for sudo
, install various dependencies using your package manager and setup a virtualenv
environment.
The next step is to issue the certificate and prove to Let’s Encrypt that you have some control over the domain. The client supports two methods to perform the validation. The first one is the standalone server. It works by setting up a webserver on port 443, and responding to a challenge from the Let’s Encrypt servers. However, if you already have your own web-server running on port 443 (the default for TLS/SSL), you would have to temporarily shut it down. To use the standalone method run:
./letsencrypt-auto --agree-dev-preview --server https://acme-v01.api.letsencrypt.org/directory certonly
The second method is called Webroot authentication. It works by placing a folder (.well-known/acme-challenge
) in the document root of your server with files corresponding to responses for challenges.
./letsencrypt-auto --agree-dev-preview --server https://acme-v01.api.letsencrypt.org/directory -a webroot --webroot-path /var/www/html/ certonly
Whatever method you chose, it will ask for a list of domains you want to validate and your email address. You can write multiple domains. The first one will be the Common Name (CN) and the rest will appear in the Subject Alt Name field.
The newly generated certificates will be placed in
/etc/letsencrypt/live/yourdomain.com/
The important files in this directory are fullchain.pem
which contain the full certificate chain to be served to the browser and privkey.pem
which is the private key.
An example Nginx configuration will now look like:
listen 443 ssl;
ssl_certificate /etc/letsencrypt/live/guyrutenberg.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/guyrutenberg.com/privkey.pem;
Just don’t forget to reload the web-server so configuration changes take effect. No more government snooping on my blog 😉 .
Nice tutorial but then what about the next step? What about using your LetsEncrypt certificate for authentication as explained earlier in https://www.guyrutenberg.com/2015/09/15/securing-access-using-tlsssl-client-certificates/ ?
I think after the tutorial you are pretty much done. You can take additional steps to optimize the way your server handles SSL (for example by allows session reuse), or improve on the default cipher suite selection.
Using your Let’s Encrypt certificate for client authentication might be feasible, but I would not recommend it: First of all, trusting the Let’s Encrypt CA certificate for authenticating clients, means that every certificate signed by Let’s Encrypt will be trusted – quite a lot of random people will have access to your site, thus defeating the purpose of access control. Secondly, you won’t be able to grant client certificate for whomever you choose, because you will need Let’s Encrypt to sign their certificate (which require that they will have a domain which they can validate).
Does this work on a windows server. Cos I host my Apache on a windows server. Is there a way around this
Sorry for being a complete noob at this, but do I run this on the web server or on a client?
Trying the second method on a dreamhost shared server, but running into a permissions error at the server level for allowing access to hidden folders (.well-known) to verify the domain to let’s encrypt.
Anyone figured out a work-around for this? Thanks!
I have a windows server running apache and hosting a self signed cert site. I want to replace the self signed cert with the one generated from lets encrypt.
How can I run letsencrypt on ubuntu but generate cert for apache running on another server(windows in my case)?
There isn’t an easy way to do so as far as I know. I suggest you look for a Windows client instead of the Ubuntu one.
Generating certificates this way is great, but it leaves you open to your cron accidentally breaking or your renewal script not working as you expected. To get around this you should check your SSL certificate regularly to ensure that it’s been renewed using a service like TrackSSL (https://trackssl.com) that notifies you if your certificate is close to expiration.