Last week, my SSL certificate expired and I decided to try Let's encrypt, a project that aimes to develop a free, automated and open certification authority. It was pretty fast to install and setup, and quite different to what I experienced with SSL certificates in the past. Today the project is leaving beta so I think it's the good moment to write a little blog post about it here. ;)
Installation of the client on a Raspberry Pi
As said, the client is pretty easy to install and setup. On my Raspbian (Apache) web server, I just needed
to clone the repository with
git clone https://github.com/letsencrypt/letsencrypt and run the client with
./letsencrypt-auto --apache. Don't be surprised, this takes a while on low power ARM machines (20 minutes
for me), so think about doing this in a screen/tmux session.
The client is also packaged and can be installed via jessie-backports for people using Debian (jessie-backports isn't available on Raspbian).
On a well configured Apache server, the client is fully automated and should detect all virtualhosts.
You will only be asked which addresses should be in the certificate (this can be avoided by passing
addresses to the client with
-d). The only thing you have to make sure is that the server for which
you generate a certificate is well accessible. In fact, Let's encrypt will need it to verify that
you're really the owner of the domains you're trying to certify.
It's also possible to ask the client to manually generate the certificates with the
--certonly option, in
this case everything is explained in the official Getting Started
The generated certificates will be valid for 90 days. Many people consider it's too few, but since an automatic renewal is possible, it's not really a problem.
Renewal and update
If you installed the Let's encrypt client directly with the git repository, you'll just have to do a
git pull in the directory of the installation to update it. If you installed the Debian package,
the client will stay up-to-date if you regularily run
apt-get update and
To renew your certificates, a
./letsencrypt-auto renew should be enough. The renewal will only work if
the expiration date of the certificates is more than 30 days away from the current date (this command can
be run by a
Renewing your certificates may also be a good occasion to test your SSL configuration and harden it!