Let’s Encrypt : Free SSL certificates for everyone

A new Certificate Authority appears : Let’s Encrypt

If you’ve not heard about it yet, a new Certificate Authority appeared recently, called “Lets Encrypt”.

Backed by the Internet Security Research Group (ISRG), it aims at securing the web by providing SSL certificates for everyone.

After a bit of teasing, they just entered public beta, which means you can use it now (if you’re able to follow instructions and download a git repository)!

If you’re the brave owner of an SSL domain, remember how painful it has always been…

Remember when you had a to sell a liver because multi-domain certificates are so expensive?

Well that’s over. Let’s Encrypt provides free certificates.

Remember when you switched to CACert because it was free? And how much trouble that brought you.

That sounded like a good idea, until you realized all your visitors got scary warnings because CACert is not recognized as a safe authority (well, they give away free certificates — that’s shady as fuck).

That’s over too. Let’s Encrypt is recognized as a safe authority.

Remember when you had to jump through hoops each time you needed a new certificate?

Provide an ID, fill in forms, manually identify your domain, give them your firstborn son…

Yep, over. With Let’s Encrypt, you run  their authentication program on your server, which will take care of automatically verifying that you own the domain you want a certificate for.

Remember the pains of configuring your server for SSL?

Right. Unlike Apache, Nginx needs a certificate that contains the whole validation chain (your certificate and the authority’s), and you better put them in the right order.

Well that’s not over. Not completely. Let’s Encrypt is able to configure/deploy automatically with apache, but Nginx is not supported yet. On the other hand, it does directly generate a full chain certificate to use with Nginx so that’s one less hassle.

How does it work?

The principle of Let’s Encrypt is this :

  1. You run the application on your server.
    1. If you’re on Apache, it reads the Apache configuration files, finds your VirtualHosts and the domains associated to it.
    2. If you’re on another web server, you can specify the domains, and give the root directory of each on your server, so that it can create its authentication files.
  2. The Certificate Authority then validates those domains (by giving a token to the server, to be put at a given location, and a nonce that needs to be signed with the server key to verify it) and gives you your certificate.
  3. The application either installs the certificates on its own (with Apache), or just deploys them to a location (/etc/letsencrypt/…).

The certificates are only valid for 90 days, but you can easily renew them by relaunching the generation command (do that in a cron and you’re done for life – you can do 5 renew each week, so don’t abuse it)

The principle of the automatic authentication is explained here, and you can find the full details of the protocol (called ACME – Automatic Certificate Management Environment) in this RFC.

What’s after Beta?

As far as I’ve read, the objectives of Let’s Encrypt are :

  • to support Nginx like Apache (currently experimental)
  • automatic renewal
  • Python3 support (currently Python2.7)

Leave a comment

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: