Let's Encrypt

From IndieWeb
(Redirected from certbot)

Let’s Encrypt is a Certificate Authority intended to be free, automated, and open.

Comic strip about switching to LetsEncrypt and not needing to renew an expensive SSL certificate

Why

You should use LetsEncrypt because it's the simplest way to setup easy-to-maintain HTTPS support on your indie web site.

How To

See: https://letsencrypt.org/howitworks/

Some server software integrates support for Let's Encrypt, e.g. the web server Caddy and the control panels cPanel, Plesk and Virtualmin.

Many web hosting providers offer built-in support for the entire process including renewals.

EFF's Certbot is an installable tool that can manage the process on a server where you have root access, including updating web server configurations. Certbot is also included in some Linux distributions.

Set up without root access

gRegor Morrill has used https://github.com/diafygi/letsencrypt-nosudo, an interactive Python script that does not require sudo/root. The host will need to install the generated certificate for you, though. This is a good option if you do not have root access or do not want to trust the letsencrypt script with root access. Since it's an interactive process, I do not believe it can be automated.

IndieWeb Examples

Colin Tedford

Colin Tedford signed up for Let's Encrypt through Dreamhost on 2016-02-13 but needs to check for mixed content and WordPress gotchas (if any) before switching to https by default.

Aaron Parecki

Aaron Parecki uses letsencrypt on a bunch of domains, including aaronparecki.com and indieweb.org. [1]

Rascul

rascul uses Let's Encrypt on rascul.xyz.

gRegor Morrill

gRegor Morrill https://gregorlove.com switched from StartSSL on 2016-06-15.

Martijn van der Ven

Martijn van der Ven set-up Let’s Encrypt on licit.li during IndieWebCamp Brighton 2016.

Jonny Barnes

Jonny Barnes uses Let’s Encrypt on jonnybarnes.uk via the EFF’s Certbot client and a custom systemd timer for renewals.

Daniel Goldsmith

Daniel Goldsmith uses LetsEncrypt on nginx for his indieweb sites:

Sebastiaan Andeweg

Sebastiaan Andeweg uses Let's encrypt via the build in form on DirectAdmin.

Eddie Hinkle

Eddie Hinkle uses Let's encrypt via Certbot to manage for all his domains including eddiehinkle.com.

Kartik Prabhu

Kartik Prabhu uses letsencrypt on kartikprabhu.com

Jacky Alcine

Jacky Alciné uses letsencrypt on https://jacky.wtf and https://indiemark.jacky.wtf.

Vika (kisik21)

Vika uses Let's Encrypt for her main site (https://fireburn.ru) via acme.sh with a customised cron script to renew certificates, but is planning to move to simp_le when she installs NixOS on her server (simp_le is integrated into NixOS).

Jamie Tanna

  Jamie Tanna uses Let's Encrypt on his site (through Netlify) and through Caddy for his IndieWeb APIs.

add yourself!

Other Independent Examples

AbstractFactory

Template:mwunsch is using it on abstractfactory.tv

Renewal

Letsencrypt certificates are valid for only 90 days. As such, it becomes important to streamline the process of renewing the certificate. If you get certbot from your distro as a package, it might already ship with cron/timer entries, but you likely will still have to adjust the renewal-hook as below.

crontab

Aaron Parecki uses the following method to renew certificates using a cron job.

Create a file, /path/to/renew-letsencrypt.sh that includes the following. This will renew all pending certificates, and reload nginx.

/path/to/certbot-auto renew --no-self-upgrade --post-hook "/usr/local/sbin/nginx -s reload"

Note the --no-self-upgrade flag will tell the client not to update itself, which is sometimes a long process and might require user input.

Add the following line to your crontab, which renews all soon-expiring certificates at 12:18am:

18 0 * * 0 /path/to/renew-letsencrypt.sh 2>&1

systemd

Jonny Barnes uses a systemd timer to renew certificates.

Create a service file, which will invoke the certbot client and renew expiring certificates.

/etc/systemd/system/certbot.service:

[Unit]
Description=Renew Let’s Encrypt leaf certificates

[Service]
Type=simple
ExecStart=/path/to/certbot/certbot-auto renew --quiet --must-staple --post-hook 'systemctl restart nginx'

We need to run this every day, so we will set up a timer to do so. The certbot client will only renew certs that are in their last month.

/etc/systemd/system/certbot.timer:

[Unit]
Description=Renewal of Let’s Encrypt Certs

[Timer]
OnCalendar=daily
RandomizedDelaySec=360
Unit=certbot.service

[Install]
WantedBy=timers.target

Next just enable and start the timer like you would a systemd service, sudo systemctl enable certbot.timer && sudo systemctl start certbot.timer.

Limitations

Requires control over your own server

You have to have at least some control over your webserver.

Domain aliasing is not supported, e.g. if you have your own domain and use WordPress.com to serve it.

Similarly your own domain on *.github.io.

  • E.g. Template:mwunsch is unable to use LetsEncrypt on his own site markwunsch.com because it is hosted on GitHub.

Both WordPress.com and GitHub do have wildcard certificates for their domain names, but those can't or won't work on your own domain name.

Short renewal intervals

A LetsEncrypt certificate is only valid for 90 days, since they aim for users to automate the renewal process as much as possible. If you can't run a LetsEncrypt client on your server (because you use shared hosting, where you only can upload certs manually) you therefore have to do a manual process more often than with CAs that give certs with longer lifespans.

On the other hand, requiring that you renew your certs every 90 days (instead of the typical 1 year) encourages people to automate the process, or at least become more familiar with the process so that it doesn't become a thing you have to re-learn every year.

Criticism

Easy to misconfigure

  • Consider moving this to HTTPS#Criticism, as it may be independent of Let's Encrypt.

It appears the configuration of Let's Encrypt certificates is not foolproof, by evidence of examples of sites misconfigured Let's Encrypt certs, especially by web developers. E.g.

  • https://puckipedia.com/ (which forces http to redirect to https) invalid as of 2018-07-03:

    puckipedia.com uses an invalid security certificate.

    The certificate is only valid for dl.puckipedia.com.

    Error code: SSL_ERROR_BAD_CERT_DOMAIN

Convoluted internal process

2023-01-03 rachelbythebay: Why I still have an old-school cert on my https site (archived)

Self Description

From their about site:


Let’s Encrypt is a free, automated, and open certificate authority (CA), run for the public’s benefit. Let’s Encrypt is a service provided by the Internet Security Research Group (ISRG).

The key principles behind Let’s Encrypt are:

  • Free: Anyone who owns a domain name can use Let’s Encrypt to obtain a trusted certificate at zero cost.
  • Automatic: Software running on a web server can interact with Let’s Encrypt to painlessly obtain a certificate, securely configure it for use, and automatically take care of renewal.
  • Secure: Let’s Encrypt will serve as a platform for advancing TLS security best practices, both on the CA side and by helping site operators properly secure their servers.
  • Transparent: All certificates issued or revoked will be publicly recorded and available for anyone to inspect.
  • Open: The automatic issuance and renewal protocol will be published as an open standard that others can adopt.
  • Cooperative: Much like the underlying Internet protocols themselves, Let’s Encrypt is a joint effort to benefit the community, beyond the control of any one organization.

See Also