Let's Encrypt
Let’s Encrypt makes it easy for any website owner to obtain a free, valid SSL certificate.
How to use
The tool it offers is certbot
(previously named letsencrypt
). To obtain a
cert, we must authenticate ourselves with Let’s Encrypt. certbot
supports
several authenticators:
-
apache
: Authenticate using Apache web server. -
nginx
: Authenticate using Nginx web server. -
webroot
: Authenticate by writing to root dir of a running web server. -
standalone
: Authenticate using a standalone web server. -
manual
: Authenticate manually.
Personally, I found the most useful authenticator is standalone
. It doesn’t
require Apache or Nginx being installed. Nor does it touch webroot of existing
web servers. It also facilitates cert renewal because the standalone web server
configuration is unlikely to change.
Request
To request a cert using the standalone
authenticator:
certbot certonly --standalone -d example.com
If you specify multiple domains, then all of them will be included in the cert.
The generated files are:
cert = /etc/letsencrypt/live/example.com/cert.pem
privkey = /etc/letsencrypt/live/example.com/privkey.pem
chain = /etc/letsencrypt/live/example.com/chain.pem
fullchain = /etc/letsencrypt/live/example.com/fullchain.pem
When configuring web server, use fullchain
(not cert
) as the cert and
privkey
as the private key.
Renew
To renew a cert:
certbot renew
If behind a CDN (e.g. Cloudflare):
certbot renew --preferred-challenges http-01
Revoke
To revoke a cert:
certbot revoke --cert-path /etc/letsencrypt/live/example.com/cert.pem
After revoking a cert, certbot
will ask whether also delete it. Usually you
should choose Yes.
Documentation
The certbot documentation is here.
How it works
It’s relatively easy to understand how it works. The agent generates a key-pair, sends the public key to Let’s Encrypt CA. It then proves to Let’s Encrypt CA that it owns the domain and the private key by accepting challenges from the CA.
Now the agent has an authorized key-pair. Requesting, renewing and revoking certificates are simple.
Finally, it’s worth noting that: certs from Let’s Encrypt are only valid for 3 months. Thus the website owner needs to renew it regularly to keep them valid.