Let's Encrypt
Motto | A more secure and privacy-respecting Web |
---|---|
Formation | November 18, 2014 |
Founder |
|
Headquarters | San Francisco, California, U.S. |
Services | X.509 certificate authority |
Parent organization | Internet Security Research Group |
Budget (2019) | US$ 3.6 million |
Staff (2019) | 13 |
Website | letsencrypt.org |
Let's Encrypt is a non-profit subsidiary of the Internet Security Research Group (ISRG) who provides short-lived free TLS certificates to anyone who wants their website to be available using the secure HTTPS protocol. The introduction of a completely free certificate authority anyone can use at zero cost basically deprecated the insecure HTTP protocol across the Internet.
The Let's Encrypt root certificate is included in all the major web browsers. This differs from the other free TLS certificate provider CAcert who are, sadly, not included in any of the important web browsers. That makes The Let's Encrypt the obvious choice.
Free certificates Let's Encrypt are only valid for 90 days. They are therefore very short-lived. This is actually a non-issue because of the way their certificates is typically deployed using a handy free software program called certbot
. Having a cron or systemd timer job running certbot
Deploying HTTPS Using Let's Encrypt[edit]
First, install certbot
. There should be a package with that name in your favorite GNU/Linux distribution.
You need to have a working web-server serving pages for the domain you would like to secure over HTTP. The user you run certbot
need to be able to create and write to a folder named .well-known
within your web root. certbot
will write a file to that folder and have the Let's Encrypt certificate authority validate that it can read a file it creates.
Demanding a TLS certificate is easy once that is setup. All you have to do is to run certbot
with the parameters certonly
to say you only want a certificate, --webroot -w
pointing it to where your webroot is and -d
specifying what domain you want a certificate for:
certbot certonly --webroot -w /var/www/yourdomain.tld/ -d yourdomain.tld
The above command will create a folder named /etc/letsencrypt/live/yourdomain.tld/
with symbolic links to /etc/letsencrypt/archive/yourdomain.tld
where the certificates it creates are actually stored.
The certificates you get from Let's Encrypt are only valid for 3 months so you will want to setup a cron job or a systemd timer renewing them once a month. This is almost as easy as running the simple command
certbot renew
You will likely want to make a longer script renewing your certificates which ensures your servers HTTP root does not redirect to HTTPS when certbot renew
is executed and you will also want to add something that copies the new certificates to where your web server reads them after it has ran. You will also want to ensure that the web server actually re-reads the certificates (service httpd reload
or similar).
Alternatives[edit]
There are no alternatives to Let's Encrypt, they have a practical monopoly on free TLS certificates. The only free (non-)alterantive is CAcert.org who have failed to get their root certificate into any of the major web browsers.
There are commercial TLS certificate vendors such as GeoTrust who can be used as an alternative to Let's Encrypt. Those become less attractive and somewhat pointless when the major browsers decided to invalidate any certificate with an expiration date beyond one year late 2020. That makes Let's Encrypt, with excellent support for renewing certificates automatically using certbot
, a better choice than most commercial products even though Let's Encrypt certificates are only valid 3 months compared to one year from commercial vendors.
Links[edit]
The Let's Encrypt website is at letsencrypt.org.
The certbot software is available from certbot.eff.org. There is likely a package you can use called certbot
available in your favorite GNU/Linux distributions repositories.
Enable comment auto-refresher