Ruin The assorted ramblings of Brendan Tobolaski

Let's Encrypt

Recently, Iʼve been in the process of setting up a new site from scratch. Completely from scratch: new domain, new design, and new content. This, of course, means new tls certificates. Instead of buying them with Gandi, as I have done a couple of times for this site, I thought Iʼd use Let’s Encrypt.

Letʼs Encrypt is a new certificate authority that provides free and automated certificates. While you could previously get tls certificates from StartSSL, they really burned you on revocation, even in cases of mass revocation. Buying them from Gandi was much better because of these sorts of issues but, there is a cost associated with it. In both cases, getting a certificate issued is a cumbersome process. I was hoping the Letʼs Encrypt could make this process easier.

When you head to Let’s Encryptʼs website, itʼs not immediately apparent how you go about getting a certificate issued. It turns out that you need an ACME client in order to do this. Luckily, there is an official client. On Debian Jessie, its available from the stable repo, so its just and aptitude install away. The letsencrypt utility contains a number of different ways to authenticate a site. Since I was setting up a WordPress site and I use Nginx as my webserver, I found the webroot option to be the simplist way. All you need to do is run letsencrypt certonly --webroot --webroot-path {{website root}} --domains {{domain name}} If you donʼt already have a webserver running, you can have the letsencrypt utility set up a temporary webserver just to authenticate the domain. All you need to do is run letsencrypt certonly --standalone. Both of these methods require you to already have the domain pointed at the serverʼs IP. The end result is a directory in /etc/letsencrypt/live with the certificate and private key. You can just configure your webserver to read the files from there.

Letʼs Encrypt is a much simpler, faster and cheaper way to get tls certificates. Thereʼs also a module for Apache that takes care of generating the certificate for you. Iʼll be glad when the Nginx module is no longer experimental. Iʼll be using Letʼs Encrypt for all of my certificate needs.