Let’s Encrypt! Free, automated and open SSL

Let's Encrypt! logo

Let’s Encrypt! is a free, automated, open source SSL Certificate Authority. Nowadays the need for privacy and protection online is at its highest, and it shouldn’t come as a surprise SSL isn’t limited to banks and ecommerce sites  anymore.

The (old) verification process

Currently, obtaining a SSL certificate requires a meticulous verification process, for which the Certificate Authority charges the individual/organization with a compensation fee proportional to the certificate duration. The verification process mostly includes two steps:

  • Domain ownership demonstration.
  • Owner identification.

Firstly the owner submits the request, the Certification Authority verifies the authenticity of the submission. During this phase, the Certification Authority might perform additional checks such as sending emails and making phone calls to verify the ownership/identity.

After the verification process is over, the Certificate Authority finally issues the certificate. In the past Certificate Authorities employees carried out the task manually verifying each claim. Today this procedure is made easier by computers, but it still remains a manual procedure.

Once the CA issues the certificate, it is sent to the owner. At this point the owner must install the certificate accordingly. Which is, again, mostly a manual procedure that involves an administrator installing the certificate on the server and configuring the software (e.g. web server) accordingly.

Meet Let’s Encrypt!, the open Certificate Authority

Let’s Encrypt! is by all means a Certificate Authority but its verification process and its certificates are a bit different and, above all, they are free. I see what you’re about to say:

“Hey, it’s free but everyone charges a fee, isn’t that a scam?”

-Anonymous

Absolutely not! Let’s Encrypt! is backed by many big names such as: Mozilla, Akamai, Cisco, the EFF and many more. Its primary objective is to make the web more secure through encryption.

The verification process for Let’s Encrypt! is automated and described through the Automatic Certificate Management Environment protocol; ACME for short. No more waiting for approval periods and phone calls, everything is automated, software speaking to software.

In short the ACME protocol challenges the server behind the domain, if the challenge is successful, Let’s Encrypt! issues the certificate. Because of this, the certificate type can only be DV (Domain Validation).

The certificate usually has a short lifespan (90 days),  but it can be easily (and automatically) renewed using an ACME client such as Certbot.

How does Let’s Encrypt! work?

All the magic behind Let’s Encrypt! can be explained with one word: ACME. It is the ACME protocol that enables this CA to work in the way it does. All the certificates issued by this CA, are issued thanks to the ACME protocol and its challenge. But what is this challenge exactly?

The challenge is a pretty simple one, when a ACME client requests a certificate the CA responds giving it a secret and a location. Now the client must put the secret in that location and use its private key to sign the secret. The client then notifies the CA, which will verify the signature and attempt to download the secret from the location. If the process is successful the challenge is complete. The CA will now issue the certificate.

Notice
The challenge described above is one kind, there is currently at least one different challenge type and the CA might use them in combination.

Now that a secure communication is established, the client receives the certificate and might even be able to automatically install it in the server. One of such clients is the Certbot client. Certbot is currently able to automatically install (and renew) certificates for Apache, Nginx and HAproxy. Of course you can request a certificate manually completing the challenge and manually installing it but that’s not suggested since the certificates have a short lifespan, usually 90 days.

If you’re interested in the details of the verification process, take a look here.

Notice
Notice that I used the word CA rather than Let’s Encrypt!. This is because LE is just an implementation of CA using the ACME protocol. Other CA, in the future, might decide to use the ACME protocol to issue their certificates.

What do I need to get started?

To get started you will usually need shell access. If you don’t have shell access you’re probably on a shared hosting, in this case you may still be hosted by one of the supported providers (unofficial list). In the case your provider isn’t included in the list, you should check with your provider if it supports LE or allows uploading custom certificates. In the case you are able to upload your certificates; the renewal process may be cumbersome, but if you’re not allowed, you’re out of luck and will not be able to use LE.

If you’ve got everything settled, you can jump to the getting started section that describes the procedure with shell access. If you’re on shared hosting please refer to your provider’s documentation.

What are the characteristics of LE certificates?

Let’s Encrypt! certificates have the following characteristics:

  • Short-lived: duration is one key factor of a certificates. LE certificates currently last 90 days.
  • Domain Validation: since LE only verifies domains, it can only issue DV certificates. There are currently no plans to implement OV or EV certificates.
  • Compatible: although LE uses a revolutionary protocol, its certificates are not much different from those of other CAs. They are compatible with all the major browsers and modern operating systems, although there are known incompatibilities.
  • Secure: LE supports RSA with keysize ranging from 2048 to 4096, it also supports P-256 and P-384 ECDSA keys.
  • Multi-domain (SAN): LE supports up to 100 domains per certificate.

I need OV/EV certificates

There are currently no plans to implement OV or EV certificates. LE is not your answer.

I need wildcard certificates

They are currently not supported by LE, however as a part of ACME v2 API they will start issuing wildcard certificates in January 2018.

Getting started with Certbot

The Certbot client (previously known as Let’s Encrypt Client) was the primary way to get a certificate during the early days of LE. Nowadays there are other ACME clients available, however Certbot remains the recommended one.

To get started you will need shell access.

I will provide you with a complete tutorial soon, but until then you can simply go on Certbot website and pick your operating system and web server. Certbot will now guide you through the steps needed to obtain the certificate and, if you use the automatic mode even install it. If you don’t trust Certbot messing with your webserver configuration files, you can always use certonly mode and install the certificate manually.

 

The Let’s Encrypt! logo is a trademark of the Internet Security Research Group. All rights reserved.

Image courtesy of mark | marksei
mark

You may also like...

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.