Let’s Encrypt Free SSL Certificates
Let’s Encrypt is a free, automated, and open certificate authority (CA), run for the public’s benefit. Let’s Encrypt is a service provided by the Internet Security Research Group (ISRG). This is the biggest thing I’ve seen hit the internet in the last 5 years, and yet they opened to the public silently back in December 2015 as far as I know. You can go read more about them on their website. I will show you how I got my certificate for this website without using their automated agent software (since I’m running Amazon Linux, which certbot does not support yet).
The key principles behind Let’s Encrypt are:
- Free: Anyone who owns a domain name can use Let’s Encrypt to obtain a trusted certificate at zero cost.
- Automatic: Software running on a web server can interact with Let’s Encrypt to painlessly obtain a certificate, securely configure it for use, and automatically take care of renewal.
- Secure: Let’s Encrypt will serve as a platform for advancing TLS security best practices, both on the CA side and by helping site operators properly secure their servers.
- Transparent: All certificates issued or revoked will be publicly recorded and available for anyone to inspect.
- Open: The automatic issuance and renewal protocol will be published as an open standard that others can adopt.
- Cooperative: Much like the underlying Internet protocols themselves, Let’s Encrypt is a joint effort to benefit the community, beyond the control of any one organization.
Technical Advisory Board (TAB)
Our TAB consists of technical experts from major supporting organizations, as well as independent experts with strong CA/PKI industry experience.
- Rich Salz (Akamai)
- Joe Hildebrand (Cisco)
- Jacob Hoffman-Andrews (Electronic Frontier Foundation)
- J.C. Jones (Mozilla)
- Russ Housley (Independent)
- Ryan Hurst (Independent)
- Stephen Kent (Independent)
- Karen O’Donoghue (Internet Society)
Get Your Certificate Without Installing Certbot
Download the certbot software by Let’s Encrypt
$ git clone https://github.com/certbot/certbot
$ cd certbot
$ ./certbot-auto --help
Let’s Encrypt will issue a limited number of certificates each week. See this thread for the latest numbers. If you are trying out certbot for the first time, you may want to use the –test-cert flag, and a domain name that does not receive live traffic. This will get certificates from our staging server. They won’t be valid in browsers, but otherwise the process will be the same, so you can test a variety of configuration options without hitting the rate limit.
Turn off any web server software that is running on port 80. When I ran this command it failed on line 530:
./certbot-auto certonly --standalone --debug --email email@address.com -d blog.travisrunyard.us -d blog.travisrunyard.us
Bootstrapping dependencies via Amazon Linux... yum is /usr/bin/yum Loaded plugins: update-motd, upgrade-helper amzn-main/latest | 2.1 kB 00:00 amzn-updates/latest | 2.3 kB 00:00 Package gcc-4.8.3-3.20.amzn1.noarch already installed and latest version Package dialog-1.1-9.20080819.1.5.amzn1.x86_64 already installed and latest version Package augeas-libs-1.0.0-5.7.amzn1.x86_64 already installed and latest version Package 1:openssl-1.0.1k-14.91.amzn1.x86_64 already installed and latest version Package 1:openssl-devel-1.0.1k-14.91.amzn1.x86_64 already installed and latest version Package libffi-devel-3.0.13-11.4.amzn1.x86_64 already installed and latest version Package system-rpm-config-9.0.3-42.27.amzn1.noarch already installed and latest version Package ca-certificates-2015.2.6-65.0.1.15.amzn1.noarch already installed and latest version Package python27-2.7.10-4.120.amzn1.x86_64 already installed and latest version Package python27-devel-2.7.10-4.120.amzn1.x86_64 already installed and latest version Package python27-virtualenv-12.0.7-1.12.amzn1.noarch already installed and latest version Package python27-tools-2.7.10-4.120.amzn1.x86_64 already installed and latest version Package python27-pip-6.1.1-1.21.amzn1.noarch already installed and latest version
Nothing to do
Creating virtual environment…
./certbot-auto: line 530: virtualenv: command not found
Then I tried to install virtualenv with: pip install virtualenv but it errored with: bash: pip: command not found
After some more research I ran: easy_install pipthen I installed the Python virtualenv with: pip install virtualenvthen I re-ran the first command: ./certbot-auto certonly --standalone --debug --email email@address.com -d blog.travisrunyard.us -d blog.travisrunyard.usand got the success message!
IMPORTANT NOTES:
– Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/blog.travisrunyard.us/fullchain.pem. Your cert
will expire on 2016-08-27. To obtain a new or tweaked version of
this certificate in the future, simply run certbot-auto again. To
non-interactively renew *all* of your ceriticates, run
certbot-auto renew
Installing Let’s Encrypt on Ubuntu 16.04
The letsencrypt package is included in the default repository so all you need to do is run the install. This article is written to work with NGINX but the concept is the same. I’m using CloudFlare which acts like a reverse proxy so I had to temporarily put it into Development mode which removes the reverse proxy and lets the requesting client directly hit the webserver.
$ sudo apt-get update && apt-get install letsencrypt -yapt-cache search letsencrypt will output all packages with letsencrypt in its name
Create the .well-known directory with a blank index file so Let’s Encrypt doesn’t fail during the certificate request.
$ sudo mkdir -p /var/www/html/.well-known/acme-challenge && touch /var/www/html/.well-known/index.html
Open up your Nginx config file and insert the following anywhere in your Server block
location ~ /.well-known {
allow all;
}
Send your certificate request to Let’s Encrypt with: sudo letsencrypt certonly -a webroot --webroot-path=/var/www/website -d website.com -d www.website.com -d subdomain.website.com then open your Nginx config file again: sudo vi /etc/nginx/sites-available/website.com.conf
TIP: Make sure to include all required sub-domains in your command because Let’s Encrypt does not issue wildcard certificates (alternative domain names found in the Subject Alternative Name field).
*** UPDATE 10/19/2017 ***
Let’s Encrypt is now offering free wildcard certificates beginning January 2018.
Open the Nginx config file and add the following near the top of the Server block:
ssl on; ssl_certificate_key /etc/ssl/letsencrypt/website/privkey.pem; ssl_certificate /etc/ssl/letsencrypt/website/fullchain.pem;
When you’re all done, run nginx -t to check for syntax errors of your Nginx config files, then reload the config with nginx -s reload and you should now be able to serve over https.
For help with www to non-www and http to https redirection, checkout my other posts:
NGINX configuration with SSL and redirect to non-www
How To Create Temporary and Permanent Redirects with Apache and Nginx
