Before Let’s Encrypt existed, I – like many others – used to use StartSSL, which offered free domain validated TLS sertificates. It was a useful service, but not without its flaws, for example the user interface was very clumsy to use. When Let’s Encrypt arrived, the automation made me jump ship immediately. But a couple of days ago I got an email from StartCom, the company behind StartSSL, that piqued my interest.
Let’s Encrypt is the new free, automated and open certificate authority, that
I talked about in a previous post. The part that I’m focusing on in this post is
automated. Let’s Encrypt is all about automating the certificate request and renewal process, and they encourage this
to the users by offering a good client – and by only giving out certificates with a maximum of a 3 month validity.
I’m not good at remembering things months down the line, especially if I have to deal with multiple different
subdomains. That’s why I wanted to automate my certificate renewal process.
The identity of this website has been verified by Let’s Encrypt Authority X1.
That’s right! Let’s Encrypt, the new free, automated and open certificate authority, has moved to public beta
and their client has improved enough that I was able to request a certificate for this blog! In the end it was criminally easy,
basically a matter of running one command (after fiddling around a bit to find the correct command…):
This uses the Let’s Encrypt program to automatically validate my domain and request a certificate for it (with the
default value being a 2048-bit one). The way it does the validation is by adding some files to the path I specified and
then making an HTTP request for the domain, checking that the files are accessible. When the domain has been validated,
it requests the certificate and saves it. The cool thing about it is that it creates a directory
/etc/letsencrypt/live/blog.nytsoi.net/ that contains symlinks to the files required for using the certificate, such as
the full chained certificate file and the private key. When I want to renew the certificate, I can run the Let’s
Encrypt program with the same arguments again and it will update the symlinks. That means automating it is very easy
(and indeed required since their certificates currently only last for 90 days). The program also contains plugins for
Apache and nginx, but the nginx plugin is very experimental so I settled for the webroot method.
I’m really excited for Let’s Encrypt’s launch. I hope this will encourage more and more people to adopt HTTPS for their
websites, especially those that deal with user logins or other sensitive data. There’s really no reason to not do it
anymore. Encryption for everyone!