Random Notes

Let's Encrypt!

The identity of this website has been verified by Let’s Encrypt Authority X1.

That’s right! Let’s Encrypt, the new free, automated and open certificate authority, has moved to public beta and their client has improved enough that I was able to request a certificate for this blog! In the end it was criminally easy, basically a matter of running one command (after fiddling around a bit to find the correct command…):

letsencrypt-auto certonly --webroot -w /path/to/blog -d blog.nytsoi.net

This uses the Let’s Encrypt program to automatically validate my domain and request a certificate for it (with the default value being a 2048-bit one). The way it does the validation is by adding some files to the path I specified and then making an HTTP request for the domain, checking that the files are accessible. When the domain has been validated, it requests the certificate and saves it. The cool thing about it is that it creates a directory /etc/letsencrypt/live/blog.nytsoi.net/ that contains symlinks to the files required for using the certificate, such as the full chained certificate file and the private key. When I want to renew the certificate, I can run the Let’s Encrypt program with the same arguments again and it will update the symlinks. That means automating it is very easy (and indeed required since their certificates currently only last for 90 days). The program also contains plugins for Apache and nginx, but the nginx plugin is very experimental so I settled for the webroot method.

I’m really excited for Let’s Encrypt’s launch. I hope this will encourage more and more people to adopt HTTPS for their websites, especially those that deal with user logins or other sensitive data. There’s really no reason to not do it anymore. Encryption for everyone!