I had some time and did a git pull on the Let’s Encrypt github page. This is a project that makes it easy to install and maintain free X.509 certificates for web servers. The certificates are in PEM format and can be easily used for any server app but usually it’s just for HTTPS on web servers.
Requesting your own certs
The first time I ran the ./letsencrypt-auto command it used apt-get to download its dependencies. The integration with Ubuntu is nice and works well. A few minutes later of some prodding and poking, meaning I read the Let’s Encrypt User Guide, I gave it a shot.
On my VPS I selected blog.epyon-1.com and ran the following command as root.
./letsencrypt-auto certonly --webroot -w /var/www/vhosts/dembowski.net/ -m not@my-email.btw -d blog.epyon-1.com
The site blog.epyon-1.com is on my WordPress network so the directory is the same. The end result of that was to politely create and place these symlinked files.
/etc/letsencrypt/live/blog.epyon-1.com/cert.pem /etc/letsencrypt/live/blog.epyon-1.com/fullchain.pem /etc/letsencrypt/live/blog.epyon-1.com/privkey.pem
A quick update to my nginx config for
ssl_certificate /etc/letsencrypt/live/blog.epyon-1.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/blog.epyon-1.com/privkey.pem;
I checked with “nginx -t” and “service nginx restart” and that was it.
Encryption has never been this easy
The certificate is valid for 90 days and is recognized by all browsers.
To renew it I’ve created a cron job for the first of every month to run this command.
./letsencrypt-auto certonly --webroot -w /var/www/vhosts/dembowski.net/ -m not@my-email.btw -d blog.epyon-1.com -d epyon-1.com --renew
Which is the same command with just --renew
added to it. Easy. If you don’t renew the CA will send you a reminder at the email you specified via the “-m not@my-email.btw” command line argument.
I’m not directing the output to /dev/null because if that cronjob works or not I want to see that output. If the cronjob fails then I can always run the command by hand.
Will I switch all my domains to Let’s Encrypt?
Why not? The project is currently in a public beta and the Let’s Encrypt tools will change and continue to be developed. But for the next 90 days the certificate I obtained will work fine. Even better if they automatically renew.
What I am looking for is a reasonable expectation of privacy between my web server and my visitors. I do not use TLS for authentication and the Let’s Encrypt certificates work fine.
If I had an online store then I might consider getting an Extended Validation Certificate but that would be only to reassure visitors when they are making a purchase. EV certs are not cheap. Let’s Encrypt is free so it’s not a hard decision for me to make.
This helps protect the traffic from casual snoopers between my server and your browser. It’s not a magic bullet for security but the wide spread adoption of encryption will help promote privacy.
Drew Jaynes says:
Great write-up Jan! I might have to give this a shot with a site or two on my own VPS too. It’s funny, but my site URL almost feels naked without the “https” on the front in today’s web landscape.
January 15, 2016 — 7:05 pm
Jan Dembowski says:
Thanks! I’m glad you liked it.
If you have any questions or need a hand let me know. Setting up Let’s Encrypt on nginx or Apache2 is straight forward and once it’s setup it just takes care of itself.
January 15, 2016 — 9:02 pm