Let's Encrypt

 Let’s Encrypt  is a Certificate Authority intended to be free, automated, and open.



Why
You should use LetsEncrypt because it's the simplest way to setup easy-to-maintain HTTPS support on your indie web site.

How To
See: https://letsencrypt.org/howitworks/

Some server software integrates support for Let's Encrypt, e.g. the web server Caddy and the control panels cPanel, Plesk and Virtualmin.

Many web hosting providers offer built-in support for the entire process including renewals.

EFF's Certbot is an installable tool that can manage the process on a server where you have root access, including updating web server configurations. Certbot is also included in some Linux distributions.

Set up without root access
has used https://github.com/diafygi/letsencrypt-nosudo, an interactive Python script that does not require sudo/root. The host will need to install the generated certificate for you, though. This is a good option if you do not have root access or do not want to trust the letsencrypt script with root access. Since it's an interactive process, I do not believe it can be automated.

Colin Tedford
signed up for Let's Encrypt through Dreamhost on 2016-02-13 but needs to check for mixed content and WordPress gotchas (if any) before switching to https by default.

Aaron Parecki
uses letsencrypt on a bunch of domains, including aaronparecki.com and indieweb.org. 

Rascul
uses Let's Encrypt on rascul.xyz.

gRegor Morrill
https://gregorlove.com switched from StartSSL on 2016-06-15.

Martijn van der Ven
set-up Let’s Encrypt on licit.li during IndieWebCamp Brighton 2016.

Jonny Barnes
uses Let’s Encrypt on jonnybarnes.uk via the EFF’s Certbot client and a custom systemd timer for renewals.

Daniel Goldsmith
uses LetsEncrypt on nginx for his indieweb sites:
 * ViewFromAscraeus uses LetsEncrypt with Hugo (previously pelican) since Jan 2016
 * Arbitary uses it with 's Woodwind

Sebastiaan Andeweg
uses Let's encrypt via the build in form on DirectAdmin.

Eddie Hinkle
uses Let's encrypt via Certbot to manage for all his domains including eddiehinkle.com.

Kartik Prabhu
uses letsencrypt on kartikprabhu.com

Jacky Alcine
uses letsencrypt on https://jacky.wtf and https://indiemark.jacky.wtf.

Vika (kisik21)
uses Let's Encrypt for her main site (https://fireburn.ru) via acme.sh with a customised cron script to renew certificates, but is planning to move to simp_le when she installs NixOS on her server (simp_le is integrated into NixOS).

Jamie Tanna
uses Let's Encrypt on his site (through Netlify) and through Caddy for his IndieWeb APIs.

AbstractFactory
is using it on abstractfactory.tv

Renewal
Letsencrypt certificates are valid for only 90 days. As such, it becomes important to streamline the process of renewing the certificate. If you get certbot from your distro as a package, it might already ship with cron/timer entries, but you likely will still have to adjust the renewal-hook as below.

crontab
uses the following method to renew certificates using a cron job.

Create a file,  that includes the following. This will renew all pending certificates, and reload nginx.

/path/to/certbot-auto renew --no-self-upgrade --post-hook "/usr/local/sbin/nginx -s reload"

Note the  flag will tell the client not to update itself, which is sometimes a long process and might require user input.

Add the following line to your crontab, which renews all soon-expiring certificates at 12:18am:

18 0 * * 0 /path/to/renew-letsencrypt.sh 2>&1

systemd
uses a systemd timer to renew certificates.

Create a service file, which will invoke the certbot client and renew expiring certificates.

Description=Renew Let’s Encrypt leaf certificates

[Service] Type=simple ExecStart=/path/to/certbot/certbot-auto renew --quiet --must-staple --post-hook 'systemctl restart nginx'

We need to run this every day, so we will set up a timer to do so. The certbot client will only renew certs that are in their last month.

Description=Renewal of Let’s Encrypt Certs

[Timer] OnCalendar=daily RandomizedDelaySec=360 Unit=certbot.service

[Install] WantedBy=timers.target

Next just enable and start the timer like you would a systemd service,.

Requires control over your own server
You have to have at least some control over your webserver.

Domain aliasing is not supported, e.g. if you have your own domain and use WordPress.com to serve it.

Similarly your own domain on *.github.io.
 * E.g. is unable to use LetsEncrypt on his own site markwunsch.com because it is hosted on GitHub.

Both WordPress.com and GitHub do have wildcard certificates for their domain names, but those can't or won't work on your own domain name.

Short renewal intervals
A LetsEncrypt certificate is only valid for 90 days, since they aim for users to automate the renewal process as much as possible. If you can't run a LetsEncrypt client on your server (because you use shared hosting, where you only can upload certs manually) you therefore have to do a manual process more often than with CAs that give certs with longer lifespans.

On the other hand, requiring that you renew your certs every 90 days (instead of the typical 1 year) encourages people to automate the process, or at least become more familiar with the process so that it doesn't become a thing you have to re-learn every year.

Easy to misconfigure
It appears the configuration of Let's Encrypt certificates is not foolproof, by evidence of examples of sites misconfigured Let's Encrypt certs, especially by web developers. E.g.
 * Consider moving this to HTTPS, as it may be independent of Let's Encrypt.


 * https://puckipedia.com/ (which forces http to redirect to https) invalid as of 2018-07-03: "puckipedia.com uses an invalid security certificate. The certificate is only valid for dl.puckipedia.com. Error code: SSL_ERROR_BAD_CERT_DOMAIN"
 * FYI: Expires 2018-214 (Th Aug 2)
 * Note: this https URL apparently worked as of 2017-12-25 per this follow post: https://rhiaro.co.uk/2017/12/5a40f595856f0

Self Description
From their about site:

Let’s Encrypt is a free, automated, and open certificate authority (CA), run for the public’s benefit. Let’s Encrypt is a service provided by the Internet Security Research Group (ISRG).

The key principles behind Let’s Encrypt are:


 * Free: Anyone who owns a domain name can use Let’s Encrypt to obtain a trusted certificate at zero cost.
 * Automatic: Software running on a web server can interact with Let’s Encrypt to painlessly obtain a certificate, securely configure it for use, and automatically take care of renewal.
 * Secure: Let’s Encrypt will serve as a platform for advancing TLS security best practices, both on the CA side and by helping site operators properly secure their servers.
 * Transparent: All certificates issued or revoked will be publicly recorded and available for anyone to inspect.
 * Open: The automatic issuance and renewal protocol will be published as an open standard that others can adopt.
 * Cooperative: Much like the underlying Internet protocols themselves, Let’s Encrypt is a joint effort to benefit the community, beyond the control of any one organization.