Let’s encrypt – Green lock icon for ours web page – free SSL certificates

Let’s encrypt was created with one goal in mind, which was create secure platform that will give everybody ability to create valid certificates that we could use to enforce secure for ours web pages. That way our www can established secure and private connections with visitors so both sides will have benefits. Making all certificates generated this way valid we gain the ‘green lock icon’ in URL bar in web browsers, so every visitor don’t have to be scared away with big red warning message about unknown certificated being use (like it would when we use self-signed certificates)

On beginning I would suggest to read Apache Part 2: Enable SSL if you didn’t enabled SSL for your vhosts and also we will need self-signed certificates for full process to complete.

For now, as its 03/18/2016 letsencrypt allow for automatic certificates installation on Debian/Ubuntu platforms with Apache2 (as web server), and rest platforms/web servers are supported via manual installation.

Preparation

First step is to install git client, if we didn’t already:

Next we need to download latest letsencrypt script, which will help us with signing process:

If we ever need to update letsencrypt we would need to invoke just ‘pull’ command in git client like this:

If in middle of updating with git pull we will encounter message about local modification made by us, then there is a quick&dirty fix for that:

 

Lets Go!

Method 1: Automatically configure everything (Apache 2 + Debian/Ubuntu)

 

Method 2: Obtaining certificates for web server without automatic installation (webroot module)

 

Method 3: Obtaining certificates without using your web server but instead using build-in one (standalone module)

 

If we are using ‘apache’ module everything should work right away, in other case you need to manually add certificates in configure files of your vhosts.

Certificates are saves inside: /etc/letsencrypt/archive but the best is to use sym-links that are created in /etc/letsencrypt/live/

 

Renewing certificates!?

For now (03/18/2016) certificates created with Let’s Encrypt are valid for 90days. Renewing them is more like creating new ones. This process can be made by hand or with use of script proposed by Let’s Encrypt themself .

At first we can make dry run to see if there will be any errors while renewing certs:

If command was successful we can skip the –dry-run argument:

 

Command ‘renew’ use the last saved settings for creating certificates, so if we would like to use stronger encryption by using longer RSA key we can do it by:

 

While renewing certificates application check if valid date have passed. If not them script will skip renewing for that certificate, but we can force it by adding argument ‘--force-renew':

 

Automatic renewing 🙂

This is a copy of script from https://letsencrypt.org

We need to add script to cron, so we won’t need to remember about this

This way cron will try to renew every certificate we use each hour.

 

We could also skip this script and take other approach which is using cron with force-renewal argument:

This way each first day of month there will be generated new certificate for our domains. We go 90days to that so in theory we got 3 tries before our certificate became invalid.

 

Revoking certificate:

 

Update 06/11/2016:

You can update letsencrypt client, you need to run git command

While doing it you can hit on error saying that your local version is modified and you need to commit those changes. The simples way to fix this is reset your local repo:

 

Update 04/08/2017:

letsencrypt change name to certbot

Facebooktwittergoogle_plusreddit

Leave a Reply

Your email address will not be published. Required fields are marked *

*