Basic Internet Security

Lets Encrypt!

20 Jan 2016

A number of months ago, I took notice of the lets-encrypt.org project, their goal was to make it easy AND FREE, to obtain ssl certificates.

This was a great thing, so many of my own projects that really should have been https encrypted, were not. I always knew this was nonsense, providing an SSL certificate is a trivial matter of a few cycles on a CPU, IF you held a CA certificate. Clearly $100/yr , or even $50/year was a huge racket, a small number of companies holding us hostage.

So here was a free answer!

Over the months, I participated in a small way in their message boards, and github project, honestly I found the testing setup a bit perplexing, and having a full time job/family I did not end up contributing much. Through their hard work, the project came into Beta on Dec 3, 2015 and they got a valid CA, and were signing certs! They decided that the certs were 90 days only, so be warned you need to re-issue regularly.

The idea of the project is that with a couple clicks (on your Production server), they will scan your sites enabled, validate the domain from their server, and issue you a 3-month cert. I don't entirely agree with this, I don't think anyone should configure your server but you, and I don't think installing the cert is the problem that needed solving; nonetheless, I am a huge supporter of free/easy SSL Certs.

I tried the default setup with little luck, but after a bit of looking found what I think should be the preferred method of obtaining a cert. It involves getting a validation key from their server, popping that on your site (similar to a google analytics verification file), and then collecting your cert! From there you have to set it up on your server, but if you don't know how to do that, well you really shouldn't be running a server.

After a bit of poking around, here is a simple way to do it.

If your running Linux, you can skip to step 6. I'm using OSX, and also prefer to do things like this inside a VM, so there you go.

  1. install Virtualbox , I'm running version 5.0.12
  2. install Vagrant, I'm running version 1.8.1
  3. At the terminal create and cd into the project directory (/tmp/letsencrypyt)
  4. Fire up the vagrant instance

    > vagrant init ubuntu/trusty64;
    > vagrant up --provider virtualbox
    

    it will take a bit for vagrant to download the ubuntu image and start it up

  5. ssh into the Vagrant machine

    > vagrant ssh
    
  6. install git

    > sudo apt-get update
    > sudo apt-get install git
    
  7. get the lets-encrypt project;

    > git clone https://github.com/letsencrypt/letsencrypt
    > cd letsencrypt
    
  8. ask letsencrypt to issue a validation key, for me i did bigmojo.net (surprise)

    > ./letsencrypt-auto certonly -a manual -d bigmojo.net
    

    At this point, lets-encrypt will ask you a couple questions and then provide you with a verification key, you need to take the key and put it in the correct place on your server, it's a bit of a mess but the relevant piece looks like this

    Lets Encrypt process

    To reiterate, copy the key (on the lower line by itself), and put it in a file at the specified URL.

    Once that is complete, you can hit enter, the lets-encrypt.org server will validate your site and issue the cert!

    Lets Encrypt Issued

    Here you can see it's written the files to /etc/letsencrypt/live/bigmojo.net , and sure enough a directory listing shows this.

    Lets Encrypt Certs

    Now It's up to you to install these, here's a guide

    So once that is done, you're running SSL! here it is on bigmojo.net

    Lets Encrypt Done

    A caveat: I had to do this for www.bigmojo.net AND www.bigmojo.net , I redirect www.bigmojo.net -> bigmojo.net , but you need a valid cert to do ANYTHING, as the SSL handshake happens before Apache handles the redirect.

    Great work letsencrypt.org, making the Internet a bit more secure.