Linux Security

Let’s Encrypt SSL Certificate

A secure internet is everyone’s demand now. We prefer HTTPS over HTTP as HTTPS connections are secured with SSL. Data sent over HTTPS cannot be seen by third or middle parties. The data is encrypted and only the real client and the server can see the data in unencrypted original form. Nowadays, search engines also gives secured websites more priority and thus it helps in SEO.

Anyone can create a SSL certificate with few lines of command or with few clicks of mouse. But, a certificate, to be trusted, must be provided by some recognized certificate authority. The process of obtaining a certificate needs time and money. Sometimes, the cost is very high depending on the certificate authority and your requirements.

You could encrypt the data between your web application and the end users by creating certificates yourself. But, things do not go like that in the world of domain and server system. Your certificate needs to be certified by some trusted third party. But the process should not be complicated when the access to internet is not. We are also not willing to pay those extra cost for obtaining a certificate that we could make by our own hand for free.

But, at the end of the day we cannot bypass those third parties. Web browsers and other client applications do not trust the certificates made by our own hands. They trust the ones provided and signed by those third parties called certificate authorities. We have a solution to our problem. There is a Certificate Authority (CA) called Let’s Encrypt who provides hassle free (in process) and free of cost TLS/SSL certificates. You just request a certificate for your website using different methods shown in this tutorial to get free certificates for your domains and you are ready to go. Unlike others, the certificates provided by Let’s Encrypt needs to be updated every three months (90 days to be precise).  You can run some script on your server or VPS to update the certificate automatically after some interval to manage this renewal issue.

Obtaining Let’s Encrypt Certificate

If you are hosting your website on a VPS or on a platform where you have shell access, you can obtain a certificate with the official Certbot ACME client. If you are on a shared hosting environment then your hosting provider should provide automated support for Let’s Encrypt certificates. Most popular shared hosting providers provide support for Let’s Encrypt certificates and renew the certificate automatically for you. If your hosting provider does not provide automated support for that then you can contact them for doing this. Also, most hosting providers have some places on their admin panel where your can upload your certificate files. Check which category you fall in and go accordingly.

Certbot Let’s Encrypt Client

Certbot is the most popular Let’s Encrypt client. It is available on most major linux distros. Here, I am showing how to install Certbot on a Ubuntu machine. To get the latest version of certbot, add the ppa repository with following command.

sudo add-apt-repository ppa:certbot/certbot

Update the package list for the new change:

sudo apt-get update

Now, install certbot along with its apache and nginx plugins:

sudo apt-get install certbot python-certbot-apache python-certbot-nginx

Certbot can automatically retrieve and configure certificates for Apache and Nginx. Let’s say that you want to retrieve a certificate for www.example.com and update Apache configuration. You just need to execute the following command.

sudo certbot --apache -d www.example.com

Certbot will ask you some necessary questions, run challenge and retrieve the certificate for you. It will update the configuration for Apache web server and reload Apache. To test if things are working properly or not, visit https://www.example.com.

Renew Certificates

Let’s Encrypt certificates are valid for 90 days only. So, you need to update the certificates several times a year. It is very easy to update certificates with certbot. Run the following commands to update all the certificate on your server:

sudo certbot renew

But, it is not a good way to update that manually. If you are on a managed/shared hosting and that platform has built in support to update the Let’s Encrypt certificates then you need not do anything by hand. When you are doing this on a VPS, dedicated server or some system where you have shell access then you can use cron to automate this task periodically.

Using Let’s Encrypt With Other Clients

ACME is an open protocol. It also has good documentation. There are many clients for Let’s Encrypt certificates and many are under development. If you have an interest in developing a client you can do that easily in your own way. If you know a bit of Python, you can look at the source code of certbot and make a custom one for yourself. There is also a list of ACME clients on Let’s Encrypt’s website.

Visit this link to get the list and decide which alternative solution you want to use. Almost none of them have all the sweetness of certbot. But, some of them has some unique features that may attract you. Also, if you are a programmer and have some unique requirements then try to implement that yourself.

Manual Method

Some hosting providers only allow manual uploading of certificates. In that case you need to retrieve the certificates manually from Let’s Encrypt and upload them through your hosting admin dashboard (or whatever mechanism they provide). To retrieve the certificate file you need to use the ‘manual’ certbot plugin and specify ‘certonly’ parameter. With the manual method you have to prove that the domain you are requesting certificate for is truly yours. The plugin can use either the http, dns or the tls-sni challenge. You can use the –preferred-challenges option to choose the challenge of your preference. If you prefer the http method then it will ask you to put some file with specified content in some directory of your website/web-server. Verify your ownership and answer other questions to get your certificate.

certbot certonly --manual

You can also specify command line parameters for agreeing to terms of service and renewing the certificate.

When You Are Unlucky

Some hosting providers provide no way of adding that extra ‘s’ to your ‘http’ – I mean they provide no way of adding ssl certificates.  For some, you need to manually upload the certificate files. One example is Google App Engine and another is OpenShift. But, it’s a hassle to re-upload the certificate every 90 days. You may forget sometimes. Again, if you have more than one or two websites then its more likely you will forget. Also, if you are not comfortable with the command line or not comfortable working with the servers through SSH shells then you are again in bad luck.

Conclusion

Let’s Encrypt has made the life of webmasters easier by providing a way of obtaining the certificates instantly instead of waiting for approval from the CAs after submitting the request. Another benefit is that you get it all for free. With all the goodness, just remember to update the certificate before every 90 days. Otherwise, your users may get a red signal and you may lose some audience/customers as a result. You can also renew the certificate every few days, but that may hit the limit and you may not renew your certificate for some time. So, be careful in using such a great service.

About the author

Sabuj Sarker

Software Developer & Backend Web Developer, Python, Go, C/C++, Java, PHP and not-so-many languages & technology.

https://twitter.com/SabujXi
https://www.facebook.com/SabujXiP
https://sabuj.me/