Using Let's encrypt.

Apr 12, 2016, by Hugo Lefeuvre.

Last week, my SSL certificate expired and I decided to try Let's encrypt, a project that aimes to develop a free, automated and open certification authority. It was pretty fast to install and setup, and quite different to what I experienced with SSL certificates in the past. Today the project is leaving beta so I think it's the good moment to write a little blog post about it here. ;)

Installation of the client on a Raspberry Pi

As said, the client is pretty easy to install and setup. On my Raspbian (Apache) web server, I just needed to clone the repository with git clone https://github.com/letsencrypt/letsencrypt and run the client with ./letsencrypt-auto --apache. Don't be surprised, this takes a while on low power ARM machines (20 minutes for me), so think about doing this in a screen/tmux session.

The client is also packaged and can be installed via jessie-backports for people using Debian (jessie-backports isn't available on Raspbian).

On a well configured Apache server, the client is fully automated and should detect all virtualhosts. You will only be asked which addresses should be in the certificate (this can be avoided by passing addresses to the client with -d). The only thing you have to make sure is that the server for which you generate a certificate is well accessible. In fact, Let's encrypt will need it to verify that you're really the owner of the domains you're trying to certify.

It's also possible to ask the client to manually generate the certificates with the --certonly option, in this case everything is explained in the official Getting Started page.

The generated certificates will be valid for 90 days. Many people consider it's too few, but since an automatic renewal is possible, it's not really a problem.

Renewal and update

If you installed the Let's encrypt client directly with the git repository, you'll just have to do a git pull in the directory of the installation to update it. If you installed the Debian package, the client will stay up-to-date if you regularily run apt-get update and apt-get upgrade.

To renew your certificates, a ./letsencrypt-auto renew should be enough. The renewal will only work if the expiration date of the certificates is more than 30 days away from the current date (this command can be run by a cron task!).

Renewing your certificates may also be a good occasion to test your SSL configuration and harden it!