Getting a free TLS certificate from Let's Encrypt
Certified
Let's Encrypt [1] is an open-source project with the goal of making sure every website is encrypting with TLS. The Let's Encrypt project is sponsored by organizations such as Mozilla, Cisco, Akamai, EFF, gandi.net, and many more. The primary role of Let's Encrypt is to offer trusted and free TLS certificates for everyone. Users can even copy and integrate Let's Encrypt technology into their own networks, which means any website can now offer a encrypted option for no cost. On May 8th 2016, Let's Encrypt issued its one millionth certificate.
Building In Trust
Let's Encrypt requires that whoever requests a certificate must prove they control the website for which the certificate is intended. If you wish to receive the certificate for a website, the DNS entry for the domain must point to your IP address in DNS.
To request a certificate for http://www.hanscees.com, I had to run a script on the web server serving http://www.hanscees.com, asking the Let's Encrypt staging-server (LSS) for the certificate. The LSS asks the web server to present a secret file on a subdirectory of the website, checks it, and, if successful, hands over a certificate file. See the Let's Encrypt website for additional information [2].
You can use Let's Encrypt for any website regardless of the web server. For my home-grown sites, I use one ESXI VMware server and deploy pre-installed virtual machines using TurnKey Linux [3], a Debian-based series of pre-configured Linux application hosts. Deploying a new website takes me about 10 minutes.
To secure websites running on Joomla or other web-based applications, I use a front-end reverse-proxy. I recently switched from Nginx to Hiawatha [4] because the Hiawatha configuration makes it extremely easy to protect websites from SQL attacks. A front-end reverse proxy makes using Let's Encrypt much easier: instead of having to use a Let's Encrypt client on every web server, I can renew certificates for many back-end web servers in one script using one machine.
Getting a Free Let's Encrypt SSL/TLS Certificate
Let's Encrypt was a public beta when I wrote this article, and some of the procedures have changed, but this brief introduction will help you get started. Also, keep in mind that you might need to adjust these procedures based on your own configuration.
Consider taking a snapshot of your system or exporting the VM to be sure you can easily revert to the previous configuration in case of a problem.
To set up Let's Encrypt:
cd /root git clone https://github.com/letsencrypt/letsencrypt cd letsencrypt ./letsencrypt-auto --server https://acme-v01.api.letsencrypt.org/directory --help
Now get some coffee and wait for a long download.
The first time you get a certificate, you need to run the commands manually, because you need to enter some manual input, such as an email address. Also, make sure you test with the staging server while you're learning how to use Let's Encrypt, because the real server has some built-in limits: if you try too many times, it will block certificate renewal for your domain for a week.
Start with the test server:
https://acme-staging.api.letsencrypt.org/directory
After you understand how Let's Encrypt works, you can try this using the production server:
https://acme-v01.api.letsencrypt.org/directory
To obtain a non-signed test certificate, change to the letsencrypt
directory:
cd /root/letsencrypt
The basic command for obtaining a certificate is:
./letsencrypt-auto certonly -a webroot --webroot-path /srv/www/example.com/ -d example.com -d www.example.com --server https://acme-staging.api.letsencrypt.org/directory
Next, you need to make sure:
- Your domain (as stated after the
-d
) is registered in DNS and resolves to the IP address of your web server (or proxy) - The
webroot
path you give in theletsencrypt-auto
command is correct, the script can write to that directory, and the web server actually serves that directory.
If you are testing a couple of times, make sure you keep a backup of your Let's Encrypt credentials:
tar -cvzf /root/letsencrypt.tgz /etc/letsencrypt
On my network, I enter:
./letsencrypt-auto certonly -a webroot --webroot-path /var/www/backends/ -d www.test-backend.com --server https://acme-staging.api.letsencrypt.org/directory
After you enter the command, you have to type an email address and agree to the terms of service [5]. If all goes well, you will get a message similar to the output shown in Listing 1.
Listing 1
Successful Certificate
Congratulations! Your certificate and chain have been saved at /etc/letsencrypt/live/www.test-backend.com /fullchain.pem. Your cert will expire on 2016-03-27. To obtain a new version of the certificate in the future, simply run Let's Encrypt again. If you like Let's Encrypt, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
If you are continually testing and getting errors saying the archive directory already exists, you might need to clean up some directories:
cd /etc/letsencrypt/ rm -rf archive/www.test-backend.com* rm -rf live/www.test-backend.com* rm -rf renewal/www.test-backend.com* rm -rf keys/* rm -rf csr/*
To use the Let's Encrypt certificate with Hiawatha, you need to process the files to the right format:
cd /etc/letsencrypt/live/www.test-backend.com/ cat privkey.pem cert.pem chain.pem > hiawatha-hc.pem chown www-data:www-data hiawatha-hc.pem chmod 440 hiawatha-hc.pem
When you have a new certificate, you must restart so the web server can use it:
service hiawatha check /etc/init.d/hiawatha restart
Now point your browser to the website and see if you get redirected to HTTPS or receive a warning because you are using the test environment and the certificate is not trusted.
Ignore the warnings and have a look at the certificate: mine was signed by "happy hacker fake CA."
A Real Certificate
Now that you have the process working, you can get a trusted certificate signed by Let's Encrypt.
First, clean up the testing stuff:
tar -cvzf /root/letsencrypt.tgz /etc/letsencrypt cd /etc/letsencrypt/ rm -rf archive/www.test-backend.com* rm -rf live/www.test-backend.com* rm -rf renewal/www.test-backend.com*
Next, get a the real signed certificate as follows:
cd /root/letsencrypt ./letsencrypt-auto certonly -a webroot --webroot-path /var/www/backends/ -d www.test-backend.com --server https://acme-v01.api.letsencrypt.org/directory
If a congratulations follows, you can prep the cert (remember this is for Hiawatha, the instructions will vary if you use a different web server):
cd /etc/letsencrypt/live/www.test-backend.com/ cat privkey.pem cert.pem chain.pem > hiawatha-hc.pem chown www-data:www-data hiawatha-hc.pem chmod 440 hiawatha-hc.pem
Restart Hiawatha, and you should see your website without HTTPS warnings. If you examine the certificate, you'll see that it says:
Issued by: Let's Encrypt Authority X1
You now have an officially signed and trusted certificate. Your website just became one of many secured sites using Let's Encrypt for a safer internet.