Hands-On

Currently, the project issues software for the Apache web server on Debian and its derivatives. A plugin for Nginx is still at an experimental stage and should not be used for production servers for this reason. The community has already started on a port to Microsoft Windows IIS. The project is happy to add third-party enhancements and plugins to the client software, assuming that they meet the standards requirements. All of this adds to the probability of the software becoming available for other web servers in the near future.

To use Let's Encrypt, you first need to install Git on the server (Listing 1, line 1). Then, change to the server's home directory and download the software from GitHub. Next, change to the newly created letsencrypt directory and stop the web server by typing one of the following commands:

/etc/init.d/apache2 stop
sudo service apache2 stop

Now, initiate the process of creating and installing the certificate (Listing 1, last line). Make sure you replace the example domain example.com with the domain for which the certificate will apply. At this point, you can also specify multiple domains that all resides below the same web root; precede each with -d.

In the background, the software checks to see whether you are authorized to manage the domain. When you are asked whether to use Apache or a temporary web server (Figure 2), you will typically want to confirm the default setting for Apache.

Figure 2: Let's Encrypt suggests the Apache Server as the configuration target: You will typically want to confirm this.

Another prompt checks whether you want to set up all of the domain content with HTTPS. (If you serve up third-party advertising with your website, it makes sense to ask the advertiser whether their ad also works with HTTPS before implementing it.) Unless you have contrary knowledge, again confirm this prompt. A short time later, your certificate will be installed and ready for use. A message points you to a page for validating your certificate. Before you follow the link, first start the web server by typing one of the following:

/etc/init.d/apache2 start
sudo service apache2 start

You can also simply create a certificate without implementing it (Listing 2, first line). This approach also gives Nginx users an option for deploying free certificates. To implement the certificate retroactively in Apache, use the install command in the second line of Listing 2. Again, replace the example domain with your own.

The software lets you create up to 100 subdomains (e.g., sub1.example.com sub2.example.com …) with a single command. This counts as one certificate. Let's Encrypt currently has no limit to the number of certificates that can be issued to different domains [10]. If you are not completely confident with the Apache web server, you should probably wait a couple of weeks until Let's Encrypt begins normal operations.

Results

We tested the procedure on Ubuntu Server 15.04 with Apache 2.4.7-1ubuntu4.8 and on Debian 8 "Jessie" with Apache 2.4.10-10+deb8u3. The results were impressive: The preparations, in the form of downloading and installing the client on the server, were completed in just three minutes; creating and implementing the certificates took less than one minute. We were immediately able to access the test page with HTTPS; subsequent tests of the page at the Qualys SSL Labs [11] site confirms the successful implementation (Figure 3). You can view the technical details of the certificate by opening the security settings of the page in Firefox (Figure 4). For more information on how Let's Encrypt creates and authenticates certificates and keys, see the "Background" box.

Figure 3: The Qualsys SSL test confirmed that the implementation was working perfectly.

Figure 4: The Firefox browser provides detailed information about the certificate.

Figure 5: The software stores the private key along with the certificates below the /etc/letsencrypt/live/ directory. Creating a backup copy is a good idea.

Another of Let's Encrypt's benefits still requires some manual attention as of this writing. For security reasons, the project's certificates are currently restricted to a validity period of three months. Once the CA begins normal operations, the certificates will be renewed automatically. Because the implementation of this function is not complete as of this writing, it is currently the owner's responsibility to rerun the software to renew the certificate's validity before it expires. You can do this manually either by calling the command again or with a cronjob. The procedure automatically revokes the current certificate and replaces it with a new one.

Conclusion

Let's Encrypt provides a revolutionary and simple new method for creating and installing trusted SSL certificates. Within just one year, the developers have nursed the new paradigm to production maturity, thus giving all server operators a free, uncomplicated, and fast approach to providing a secure website.