Add SSL to Your Server with LetsEncrypt for Free

Set up SSL on your server quickly and easily LetsEncrypt

Configuring SSL on your server(s) can be tedious and can cost you money if you don't know about free, intuitive alternatives to the 'normal way' like LetsEncrypt. This is another cool utility Kurt (kph) told me about.

Why use SSL?

Secure Sockets Layer (SSL), or more specifically Transport Layer Security version 1.2 (TLSv2) allows users to connect to servers using an encrypted connection that protects data passing between the client and server by encrypting it.

An eavesdropper able to intercept traffic will get gibberish instead of clear text data including usernames and passwords that would have been transmitted if SSL is not configured.

Theo's Infosec Blog SSL screenshot

Why LetsEncrypt?

Administrators have been configuring their servers to support secure connections for years. What's the advantage of LetsEncrypt? I'm so glad you asked.

LetsEncrypt Main Page screenshot

LetsEncrypt is totally free. If you were to obtain your own SSL certificate through other means, there is usually a cost involved.

DigiCert, a big name in the certificate world, charges a minimum of $175 a year for certificates. Of course, you can find them much cheaper, but free is hard to come by.

What kind of certs?

LetsEncrypt only offers standard Domain Validation Certificates.

From LetsEncrypts FAQ:

We do not offer Organization Validation (OV), Extended Validation (EV), or wildcard certificates, primarily because we cannot automate issuance for those types of certificates.

What do I need?

In order to set this up, you'll have to have a server configured to serve your web page to visitors, its IP Address, the type of web server, Apache, or nginx for example, and ownership of the domain you're registering.

How does it work?

LetsEncrypt recommends a utility called CertBot maintained by the Electronic Frontier Foundation (EFF) to automatically generate your certificate for you. CertBot leverages the Automated Certificate Management Environment (ACME) protocol to facilitate certificate creation and renewal.

Go to the CertBot site and select your web server and operating system from the drop-downs.

CertBot Web Server and OS Selection screenshot

Once you have selected your operating system and web server type, you'll be directed to custom installation instructions for your server.

CertBot custom installation instructions

Once you've installed certbot, run the command for your server type.
certbot --<web server> -d <your domain name>

Running CertBot screenshot

Short Certificate life

Certificates issued by LetsEncrypt are only valid for 90 days. At 89 days, you can simply renew, or configure an auto-renewal cron job.

CertBot Auto Renewal screen shot

Limitations of Domain Validation certificates

Domain Validation certificates aren't hard to obtain and don't really let you know much about the validity of the site you're hitting.

If you're using a site that allows financial transactions, you'll want a certificate that requires a higher standard of proof of legitimacy than that offered by a Domain Validation certificate.

That said, for an every-day site, like this blog, I want the user to have traffic from her browser to my site encrypted, and I do not want her to have a warning that the certificate on the server is self-signed. So, it serves my purpose.

Site for testing

If you're testing, use the staging environment to avoid hitting rate limits like the 20 certificates per week limit. An example would be configuring and testing automatic renewal.