Tom Cannaerts

Let’s Encrypt!

Encryption is getting more and more important to the end-users. This is most definitely the case for websites that process information of those users.

SSL certificates have been around for many years, but are costly and require quite some effort to install and maintain. They require a unique IP address, need to follow some sort of verification process (usually this involves digging into your spam-box to find the activation e-mail), and need to be installed on the server. And then a year has passed… and you can do it all over again.

Fortunately, things have changed for the better. For starters, SNI allows multiple SSL certificates to be installed on the same IP address. There are some hosting providers out there who have already started offering SSL certificates on shared IP addresses this way.

SNI is supported on most computers and smartphones from the last couple of years. If you’re still using Windows XP with IE 7 or Android 2.3, you’re out of luck. Then again, you’ll probably have bigger problems than that as well 😉

So that brings us to the certificates. Meet Let’s Encrypt, a service that allows you to automate the process of requesting, verifying and (optionally) installing the certificates.  You can use the CLI tools provided by Let’s Encrypt, or you can roll your own using the public API.

When not using the autoconfiguration option (currently only working for Apache), this is all it takes to get the certificate issued.

letsencrypt certonly -w /var/www/tom.be/htdocs -d tom.be -d www.tom.be

The -w switch points to the documentroot of the website. Let’s Encrypt will automatically create a verification file there during the process, which takes about 10 seconds to complete. Once done, the certificate is available in /etc/letsencrypt/live/tom.be/ in pem format.

Currently, the certificates are issued with a validity of 90 days. This is deliberately kept short to encourage automation of renewals, which is rediculously simple.

letsencrypt renew

That’s all there’s to it. This will renew all the previously issued certificates that will expire in less than 30 days. It will use the same verification settings as the first time, so no need to specify these anymore. This is something you could easely put into your crontab (say once a week or so) and combine it with a graceful reload of your webserver.

Although Let’s Encrypt is currently still in (public) beta, it does show that encryption does not need to be a pain in the ass. Instead, it will definitely result in more and more website owners making the decision to switch to https.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.