Let’s Encrypt Everything

I renewed the SSL/TSL certificate on one of my little cloud servers over the weekend.  I had been using StartSSL for this.  This time I decided to try out the services of Let’s Encrypt Everything, which worked out nicely.

You can read their website for the background story.  This posting is about the details of how I proceeded.

Let’s Encrypt Everything will sign TLS certificates for your website.  It uses a scheme called ACME.  That scheme involves running some software on your end that talks to their servers.  During that conversation a transient page is created on your website, this is used to prove that you control the site.  That proof of control how they validate that you control the site and thus it’s ok for them to sign off on the cert.

What’s nice about this scheme is that you really don’t need to know much, if anything, about how all this works.  You only need to install some software on your machine – the ACME client – and then follow the instructions.  The better the ACME client the less work you need to do.  This posting has a nice review of various ACME clients.

I first tried the client that the Let’s Encrypt folks are working on.  It didn’t work well for me.  I then moved on to acme-tiny and it was great; though it certainly required more hand work.

The proof of control step/scheme requires that you let the ACME client add a page to your web site, i.e. put a file into your sites http files.  That page is served using HTTP, not HTTPS.

The certificate they give expires in three months, so they presume your likely to run a crontab to renew the certificate, montly say.

The largest hick-up I ran into was that the page wants to be served via HTTP.  My site is setup to to immediately redirect all HTTP traffic to HTTPS.  So I had to adjust the configuration to leave a small hole in that behavior just for the proof of control page.  I do the redirects with Apache’s mod_alias; and it required a bit-o-thought to get that hole build.  I now redirect all URL’s, except those that begin with a period, it’s lame but it works and was easy.

Leave a Reply

Your email address will not be published.