SSL Certificate Installations with Let’s Encrypt

Let's Encrypt is a new SSL Certificate Authority: It's free, automated, and open. In Public Beta.
26 Jan 2016

SSL Certificate Installations with Let’s Encrypt

An SSL Certificate, or Secure Socket Layer, is the industry standard way to encrypt data to and from the server. SSL Certificates allow you to visit a website with HTTPS and it turns on that little green padlock icon in the address bar. It is often required for HIPAA or PCI Compliance, since it secures sensitive information. Until recently, projects like these were the only websites that bothered with SSL Certificates, because they were (a) expensive and (b) kind of a hassle to install. A normal cert from a standard certificate authority could cost $100/yr, which can be a dissuading factor for smaller websites.

Let’s Encrypt, a new collaborate project from the Linux Foundation, is starting to change all of that. They’ve put together an open-source and automated authority that you can use to sign certificates on your own sites. The best part? It’s free, and they opened a public beta last month. This means that you don’t need an invitation in order to get free certificates from Let’s Encrypt.

Enough background, let’s dig into how to install a free cert from Let’s Encrypt on your own server.

# SSH into your server with a user on the sudoers list

# clone the latest master branch into your server's opt directory
git clone /opt/letsencrypt
cd /opt/letsencrypt

#run the installer on your domain
./letsencrypt-auto --apache -d

That’s it! The auto-installer will walk through the few options that it needs in order to setup your SSL Certificate, and you’ll be able to pull up your site with https!

The above example uses the --apache flag to install the cert on an existing virtual host domain within an Apache server. There are other options, including one for nginx (It’s still experimental, and requires installing another plugin) and one to only generate the cert that allows you to take over the installation process yourself.

The biggest issue that I’ve found with Let’s Encrypt is that the certificates only last 90 days, compared to most other authorities only requiring renewals every 12 months. Luckily, they have a command line based renewal process that we can run manually every 3 months:

./letsencrypt-auto certonly --apache --renew-by-default -d

But luckily, Erika Heidi has created an update script that we can install…

#download the Let's Encrypt Renewal script
sudo curl -L -o /usr/local/sbin/le-renew

#make it executable
sudo chmod +x /usr/local/sbin/le-renew

…and add to a cronjob.

# add a new cronjob with crontab
crontab -e

# append the following line
# this checks the domain to see if it needs to be renewed
# every Wednesday morning at 1:00am
0 1 * * 3 /usr/local/sbin/le-renew >> /var/log/le-renew.log

Leave a Reply

Your email address will not be published. Required fields are marked *