Convenient SSL implementation
Hands-On
Currently, the project issues software for the Apache web server on Debian and its derivatives. A plugin for Nginx is still at an experimental stage and should not be used for production servers for this reason. The community has already started on a port to Microsoft Windows IIS. The project is happy to add third-party enhancements and plugins to the client software, assuming that they meet the standards requirements. All of this adds to the probability of the software becoming available for other web servers in the near future.
To use Let's Encrypt, you first need to install Git on the server (Listing 1, line 1). Then, change to the server's home directory and download the software from GitHub. Next, change to the newly created letsencrypt
directory and stop the web server by typing one of the following commands:
/etc/init.d/apache2 stop sudo service apache2 stop
Listing 1
Setting Up Let's Encrypt
Now, initiate the process of creating and installing the certificate (Listing 1, last line). Make sure you replace the example domain example.com
with the domain for which the certificate will apply. At this point, you can also specify multiple domains that all resides below the same web root; precede each with -d
.
In the background, the software checks to see whether you are authorized to manage the domain. When you are asked whether to use Apache or a temporary web server (Figure 2), you will typically want to confirm the default setting for Apache.
Another prompt checks whether you want to set up all of the domain content with HTTPS. (If you serve up third-party advertising with your website, it makes sense to ask the advertiser whether their ad also works with HTTPS before implementing it.) Unless you have contrary knowledge, again confirm this prompt. A short time later, your certificate will be installed and ready for use. A message points you to a page for validating your certificate. Before you follow the link, first start the web server by typing one of the following:
/etc/init.d/apache2 start sudo service apache2 start
You can also simply create a certificate without implementing it (Listing 2, first line). This approach also gives Nginx users an option for deploying free certificates. To implement the certificate retroactively in Apache, use the install
command in the second line of Listing 2. Again, replace the example domain with your own.
Listing 2
Creating an Implementing a Certificate
The software lets you create up to 100 subdomains (e.g., sub1.example.com sub2.example.com …) with a single command. This counts as one certificate. Let's Encrypt currently has no limit to the number of certificates that can be issued to different domains [10]. If you are not completely confident with the Apache web server, you should probably wait a couple of weeks until Let's Encrypt begins normal operations.
Results
We tested the procedure on Ubuntu Server 15.04 with Apache 2.4.7-1ubuntu4.8 and on Debian 8 "Jessie" with Apache 2.4.10-10+deb8u3. The results were impressive: The preparations, in the form of downloading and installing the client on the server, were completed in just three minutes; creating and implementing the certificates took less than one minute. We were immediately able to access the test page with HTTPS; subsequent tests of the page at the Qualys SSL Labs [11] site confirms the successful implementation (Figure 3). You can view the technical details of the certificate by opening the security settings of the page in Firefox (Figure 4). For more information on how Let's Encrypt creates and authenticates certificates and keys, see the "Background" box.
Background
The Let's Encrypt client, which is written in Python, is responsible for both communication with the CA while creating the certificate and for configuring the server on implementing the certificate. The script first creates a keypair on the server, and the CA signs its public key. The key resides in /etc/letsencrypt/live/
below the domain name in each case. The software then issues a Certificate Signing Request (CSR) with the public key.
The CA then needs to make sure the server that initiated the process is accessible via the domain in question. To do so, the script creates a file that is accessible via HTTP on the server, and the CA queries for the file. This is sufficient for authenticating a class 1 certificate.
After positive completion of the test, the CA issues the certificate and stores it along with the private key below /etc/letsencrypt/live/
(Figure 5). It makes sense to back up this directory after the installation. In the final step, the script integrates the certificate with the server structure and outputs a success message. The certificates are typically integrated below /etc/apache2/sites-enabled
. For more technical details, see the Let's Encrypt project's documentation [12].
Another of Let's Encrypt's benefits still requires some manual attention as of this writing. For security reasons, the project's certificates are currently restricted to a validity period of three months. Once the CA begins normal operations, the certificates will be renewed automatically. Because the implementation of this function is not complete as of this writing, it is currently the owner's responsibility to rerun the software to renew the certificate's validity before it expires. You can do this manually either by calling the command again or with a cronjob. The procedure automatically revokes the current certificate and replaces it with a new one.
Conclusion
Let's Encrypt provides a revolutionary and simple new method for creating and installing trusted SSL certificates. Within just one year, the developers have nursed the new paradigm to production maturity, thus giving all server operators a free, uncomplicated, and fast approach to providing a secure website.
Infos
- StartSSL: https://www.startssl.com/
- CAcert: http://www.cacert.org
- Let's Encrypt: https://letsencrypt.org
- ISRG: https://en.wikipedia.org/wiki/Internet_Security_Research_Group
- Transparency report: https://letsencrypt.org/documents/ISRG-Legal-Transparency-Report-July-1-2015.pdf
- X.509: https://en.wikipedia.org/wiki/X.509
- TLS: https://en.wikipedia.org/wiki/Transport_Layer_Security
- IdenTrust: https://www.identrust.com/
- ACME: https://en.wikipedia.org/wiki/Automated_Certificate_Management_Environment
- Current rate limits: https://community.letsencrypt.org/t/rate-limits-for-lets-encrypt/6769
- Qualys SSL Labs: https://www.ssllabs.com/ssltest/
- Technology documentation: https://letsencrypt.org/howitworks/technology/
« Previous 1 2
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
Rhino Linux Announces Latest "Quick Update"
If you prefer your Linux distribution to be of the rolling type, Rhino Linux delivers a beautiful and reliable experience.
-
Plasma Desktop Will Soon Ask for Donations
The next iteration of Plasma has reached the soft feature freeze for the 6.2 version and includes a feature that could be divisive.
-
Linux Market Share Hits New High
For the first time, the Linux market share has reached a new high for desktops, and the trend looks like it will continue.
-
LibreOffice 24.8 Delivers New Features
LibreOffice is often considered the de facto standard office suite for the Linux operating system.
-
Deepin 23 Offers Wayland Support and New AI Tool
Deepin has been considered one of the most beautiful desktop operating systems for a long time and the arrival of version 23 has bolstered that reputation.
-
CachyOS Adds Support for System76's COSMIC Desktop
The August 2024 release of CachyOS includes support for the COSMIC desktop as well as some important bits for video.
-
Linux Foundation Adopts OMI to Foster Ethical LLMs
The Open Model Initiative hopes to create community LLMs that rival proprietary models but avoid restrictive licensing that limits usage.
-
Ubuntu 24.10 to Include the Latest Linux Kernel
Ubuntu users have grown accustomed to their favorite distribution shipping with a kernel that's not quite as up-to-date as other distros but that changes with 24.10.
-
Plasma Desktop 6.1.4 Release Includes Improvements and Bug Fixes
The latest release from the KDE team improves the KWin window and composite managers and plenty of fixes.
-
Manjaro Team Tests Immutable Version of its Arch-Based Distribution
If you're a fan of immutable operating systems, you'll be thrilled to know that the Manjaro team is working on an immutable spin that is now available for testing.