Let's Encrypt

From IndieWeb
(Redirected from Let’s Encrypt)
Jump to: navigation, search

Let’s Encrypt is a Certificate Authority intended to be free, automated, and open.

Comic strip about switching to LetsEncrypt and not needing to renew an expensive SSL certificate

Why

You should use LetsEncrypt because it's the simplest way to setup easy-to-maintain HTTPS support on your indie web site.

How To

See: https://letsencrypt.org/howitworks/

Set up without root access

gRegor Morrill has used https://github.com/diafygi/letsencrypt-nosudo, an interactive Python script that does not require sudo/root. The host will need to install the generated certificate for you, though. This is a good option if you do not have root access or do not want to trust the letsencrypt script with root access. Since it's an interactive process, I do not believe it can be automated.

IndieWeb Examples

Colin Tedford

Colin Tedford signed up for Let's Encrypt through Dreamhost on 2016-02-13 but needs to check for mixed content and WordPress gotchas (if any) before switching to https by default.

Aaron Parecki

Aaron Parecki uses letsencrypt on a bunch of domains, including aaronparecki.com and indieweb.org. [1]

Rascul

rascul uses Let's Encrypt on rascul.xyz.

gRegor Morrill

gRegor Morrill https://gregorlove.com switched from StartSSL on 2016-06-15.

Martijn van der Ven

Martijn van der Ven set-up Let’s Encrypt on licit.li during IndieWebCamp Brighton 2016.

Jonny Barnes

Jonny Barnes uses Let’s Encrypt on jonnybarnes.uk via the EFF’s Certbot client and a custom systemd timer for renewals.

Daniel Goldsmith

Daniel Goldsmith uses LetsEncrypt on nginx for his indieweb sites:

Sebastiaan Andeweg

Sebastiaan Andeweg uses Let's encrypt via the build in form on DirectAdmin.

add yourself!

Other Independent Examples

AbstractFactory

Template:mwunsch is using it on abstractfactory.tv

Renewal

Letsencrypt certificates are valid for only 90 days. As such, it becomes important to streamline the process of renewing the certificate.

crontab

Aaron Parecki uses the following method to renew certificates using a cron job.

Create a file, /path/to/renew-letsencrypt.sh that includes the following. This will renew all pending certificates, and reload nginx.

/path/to/certbot-auto renew --no-self-upgrade --post-hook "/usr/local/sbin/nginx -s reload"

Note the --no-self-upgrade flag will tell the client not to update itself, which is sometimes a long process and might require user input.

Add the following line to your crontab, which renews all soon-expiring certificates at 12:18am:

18 0 * * 0 /path/to/renew-letsencrypt.sh 2>&1

systemd

Jonny Barnes uses a systemd timer to renew certificates.

Create a service file, which will invoke the certbot client and renew expiring certificates.

/etc/systemd/system/certbot.service:

[Unit]
Description=Renew Let’s Encrypt leaf certificates

[Service]
Type=simple
ExecStart=/path/to/certbot/certbot-auto renew --quiet --must-staple --post-hook 'systemctl restart nginx'

We need to run this every day, so we will set up a timer to do so. The certbot client will only renew certs that are in their last month.

/etc/systemd/system/certbot.timer:

[Unit]
Description=Renewal of Let’s Encrypt Certs

[Timer]
OnCalendar=daily
RandomizedDelaySec=360
Unit=certbot.service

[Install]
WantedBy=timers.target

Next just enable and start the timer like you would a systemd service, sudo systemctl enable certbot.timer && sudo systemctl start certbot.timer.

Limitations

Contents

Requires control over your own server

You have to have at least some control over your webserver.

Domain aliasing is not supported, e.g. if you have your own domain and use WordPress.com to serve it.

Similarly your own domain on *.github.io.

  • E.g. Template:mwunsch is unable to use LetsEncrypt on his own site markwunsch.com because it is hosted on GitHub.

Both WordPress.com and GitHub do have wildcard certificates for their domain names, but those can't or won't work on your own domain name.

Short renewal intervals

A LetsEncrypt certificate is only valid for 90 days, since they aim for users to automate the renewal process as much as possible. If you can't run a LetsEncrypt client on your server (because you use shared hosting, where you only can upload certs manually) you therefore have to do a manual process more often than with CAs that give certs with longer lifespans.

On the other hand, requiring that you renew your certs every 90 days (instead of the typical 1 year) encourages people to automate the process, or at least become more familiar with the process so that it doesn't become a thing you have to re-learn every year.

Self Description

From their about site:


Let’s Encrypt is a free, automated, and open certificate authority (CA), run for the public’s benefit. Let’s Encrypt is a service provided by the Internet Security Research Group (ISRG).

The key principles behind Let’s Encrypt are:

  • Free: Anyone who owns a domain name can use Let’s Encrypt to obtain a trusted certificate at zero cost.
  • Automatic: Software running on a web server can interact with Let’s Encrypt to painlessly obtain a certificate, securely configure it for use, and automatically take care of renewal.
  • Secure: Let’s Encrypt will serve as a platform for advancing TLS security best practices, both on the CA side and by helping site operators properly secure their servers.
  • Transparent: All certificates issued or revoked will be publicly recorded and available for anyone to inspect.
  • Open: The automatic issuance and renewal protocol will be published as an open standard that others can adopt.
  • Cooperative: Much like the underlying Internet protocols themselves, Let’s Encrypt is a joint effort to benefit the community, beyond the control of any one organization.

See Also

Personal tools
Namespaces
Variants
Actions
Recent & Upcoming
Resources
Toolbox