Let's Encrypt
Let’s Encrypt is a Certificate Authority intended to be free, automated, and open.
Why
You should use LetsEncrypt because it's the simplest way to setup easy-to-maintain HTTPS support on your indie web site.
How To
See: https://letsencrypt.org/howitworks/
Some server software integrates support for Let's Encrypt, e.g. the web server Caddy and the control panels cPanel, Plesk and Virtualmin.
Many web hosting providers offer built-in support for the entire process including renewals.
EFF's Certbot is an installable tool that can manage the process on a server where you have root access, including updating web server configurations. Certbot is also included in some Linux distributions.
Set up without root access
gRegor Morrill has used https://github.com/diafygi/letsencrypt-nosudo, an interactive Python script that does not require sudo/root. The host will need to install the generated certificate for you, though. This is a good option if you do not have root access or do not want to trust the letsencrypt script with root access. Since it's an interactive process, I do not believe it can be automated.
IndieWeb Examples
Colin Tedford
Colin Tedford signed up for Let's Encrypt through Dreamhost on 2016-02-13 but needs to check for mixed content and WordPress gotchas (if any) before switching to https by default.
Aaron Parecki
Aaron Parecki uses letsencrypt on a bunch of domains, including aaronparecki.com and indieweb.org. [1]
Rascul
rascul uses Let's Encrypt on rascul.xyz.
gRegor Morrill
gRegor Morrill https://gregorlove.com switched from StartSSL on 2016-06-15.
Martijn van der Ven
Martijn van der Ven set-up Let’s Encrypt on licit.li during IndieWebCamp Brighton 2016.
Jonny Barnes
Jonny Barnes uses Let’s Encrypt on jonnybarnes.uk via the EFF’s Certbot client and a custom systemd timer for renewals.
Daniel Goldsmith
Daniel Goldsmith uses LetsEncrypt on nginx for his indieweb sites:
- ViewFromAscraeus uses LetsEncrypt with Hugo (previously pelican) since Jan 2016
- Arbitary uses it with Kyle Mahan's Woodwind
Sebastiaan Andeweg
Sebastiaan Andeweg uses Let's encrypt via the build in form on DirectAdmin.
Eddie Hinkle
Eddie Hinkle uses Let's encrypt via Certbot to manage for all his domains including eddiehinkle.com.
Kartik Prabhu
Kartik Prabhu uses letsencrypt on kartikprabhu.com
Jacky Alcine
Jacky Alciné uses letsencrypt on https://jacky.wtf and https://indiemark.jacky.wtf.
Vika (kisik21)
Vika uses Let's Encrypt for her main site (https://fireburn.ru) via acme.sh with a customised cron script to renew certificates, but is planning to move to simp_le when she installs NixOS on her server (simp_le is integrated into NixOS).
Jamie Tanna
Jamie Tanna uses Let's Encrypt on his site (through Netlify) and through Caddy for his IndieWeb APIs.
add yourself!
Other Independent Examples
AbstractFactory
Template:mwunsch is using it on abstractfactory.tv
Renewal
Letsencrypt certificates are valid for only 90 days. As such, it becomes important to streamline the process of renewing the certificate. If you get certbot from your distro as a package, it might already ship with cron/timer entries, but you likely will still have to adjust the renewal-hook as below.
crontab
Aaron Parecki uses the following method to renew certificates using a cron job.
Create a file, /path/to/renew-letsencrypt.sh
that includes the following. This will renew all pending certificates, and reload nginx.
/path/to/certbot-auto renew --no-self-upgrade --post-hook "/usr/local/sbin/nginx -s reload"
Note the --no-self-upgrade
flag will tell the client not to update itself, which is sometimes a long process and might require user input.
Add the following line to your crontab, which renews all soon-expiring certificates at 12:18am:
18 0 * * 0 /path/to/renew-letsencrypt.sh 2>&1
systemd
Jonny Barnes uses a systemd timer to renew certificates.
Create a service file, which will invoke the certbot client and renew expiring certificates.
/etc/systemd/system/certbot.service
:
[Unit] Description=Renew Let’s Encrypt leaf certificates [Service] Type=simple ExecStart=/path/to/certbot/certbot-auto renew --quiet --must-staple --post-hook 'systemctl restart nginx'
We need to run this every day, so we will set up a timer to do so. The certbot client will only renew certs that are in their last month.
/etc/systemd/system/certbot.timer
:
[Unit] Description=Renewal of Let’s Encrypt Certs [Timer] OnCalendar=daily RandomizedDelaySec=360 Unit=certbot.service [Install] WantedBy=timers.target
Next just enable and start the timer like you would a systemd service, sudo systemctl enable certbot.timer && sudo systemctl start certbot.timer
.
Limitations
Requires control over your own server
You have to have at least some control over your webserver.
Domain aliasing is not supported, e.g. if you have your own domain and use WordPress.com to serve it.
Similarly your own domain on *.github.io.
- E.g. Template:mwunsch is unable to use LetsEncrypt on his own site markwunsch.com because it is hosted on GitHub.
Both WordPress.com and GitHub do have wildcard certificates for their domain names, but those can't or won't work on your own domain name.
Short renewal intervals
A LetsEncrypt certificate is only valid for 90 days, since they aim for users to automate the renewal process as much as possible. If you can't run a LetsEncrypt client on your server (because you use shared hosting, where you only can upload certs manually) you therefore have to do a manual process more often than with CAs that give certs with longer lifespans.
On the other hand, requiring that you renew your certs every 90 days (instead of the typical 1 year) encourages people to automate the process, or at least become more familiar with the process so that it doesn't become a thing you have to re-learn every year.
Criticism
Easy to misconfigure
- Consider moving this to HTTPS#Criticism, as it may be independent of Let's Encrypt.
It appears the configuration of Let's Encrypt certificates is not foolproof, by evidence of examples of sites misconfigured Let's Encrypt certs, especially by web developers. E.g.
- https://puckipedia.com/ (which forces http to redirect to https) invalid as of 2018-07-03:
puckipedia.com uses an invalid security certificate.
The certificate is only valid for dl.puckipedia.com.
Error code: SSL_ERROR_BAD_CERT_DOMAIN- FYI: Expires 2018-214 (Th Aug 2)
- Note: this https URL apparently worked as of 2017-12-25 per this follow post: https://rhiaro.co.uk/2017/12/5a40f595856f0
Convoluted internal process
2023-01-03 : Why I still have an old-school cert on my https site (archived)
Self Description
From their about site:
Let’s Encrypt is a free, automated, and open certificate authority (CA), run for the public’s benefit. Let’s Encrypt is a service provided by the Internet Security Research Group (ISRG).
The key principles behind Let’s Encrypt are:
- Free: Anyone who owns a domain name can use Let’s Encrypt to obtain a trusted certificate at zero cost.
- Automatic: Software running on a web server can interact with Let’s Encrypt to painlessly obtain a certificate, securely configure it for use, and automatically take care of renewal.
- Secure: Let’s Encrypt will serve as a platform for advancing TLS security best practices, both on the CA side and by helping site operators properly secure their servers.
- Transparent: All certificates issued or revoked will be publicly recorded and available for anyone to inspect.
- Open: The automatic issuance and renewal protocol will be published as an open standard that others can adopt.
- Cooperative: Much like the underlying Internet protocols themselves, Let’s Encrypt is a joint effort to benefit the community, beyond the control of any one organization.
See Also
- HTTPS
- https://httpd.apache.org/docs/trunk/mod/mod_md.html A work-in-progress Apache module (Managed Domains) to add native support for Let's Encrypt in Apache
- https://community.letsencrypt.org/t/acmev2-and-wildcard-launch-delay/53654
- 2019-02-08 example of expired Let's Encrypt certificate: https://www.thatemil.com/ Begins on: 2018-314; Expires on: 2018-039.
- During 2021, Android devices older than v7.1 (approx. 33% of devices used in the wild) will return a certificate error for sites using Let's Encrypt certificates https://letsencrypt.org/2020/11/06/own-two-feet.html via https://adactio.com/journal/17631
- List of ACME servers that can serve certificates through the same protocol as Let's Encrypt, of which BuyPass and ZeroSSL also offer free certificates
- single-binary tool with no reliance on DNS https://github.com/krtab/agnos