What’s better than SSL everywhere? Free SSL everywhere! I first heard about the letsencrypt.org project at Defcon 23 in July (you can watch the same presentation here: https://www.youtube.com/watch?v=Ya6t8nMclos). The concept was great, and I agreed with many of the points that were made, although the difficulty of setting up TLS was quite overblown, it really isn’t that difficult. I was interested in the concept, but at that time the project was not available for use, but now it is, and it’s fairly easy to use, though does have one minor drawback.
The drawback is that they only issue short lived certificates for 90 days. Not really that big of a deal since all you have to do is renew your cert once every 90 days or so, and the process is pretty simple.
They have attempted to make the whole process simple by creating a client that does most of the work for you. However, I didn’t want to go through the hassle of setting up SSL the way they wanted, I just wanted quick access to a free SSL cert, I already know how to implement it. After a quick look through their documentation, there was already a freebsd port, making it all very simple:
cd /usr/ports/security/py-letsencrypt && make install clean
Since I didn’t want to have their client listening, I already had my site up and running, I just ran the request in manual mode from the server:
$ sudo letsencrypt –manual certonly
This is where I entered the the parent domain, and two subdomains that I needed the SSL cert to cover.
I just accepted that they would be logging my request.
Make sure your web server displays the following content at
http://domain.com/.well-known/acme-challenge/A9R4V5lIm3qgiTZ5YXPrpmE0Q_bTPaoI_s75Ne366TM before continuing:A9R4V5lIm3qgiTZ5YXPrpmE0Q_bTPaoI_s75Ne366TM.JW9Bgokl0764oEB51WYtpeXT05421n5lM2eE17KPmF5
If you don’t have HTTP server configured, you can run the following
command on the target server (as root):mkdir -p /tmp/letsencrypt/public_html/.well-known/acme-challenge
cd /tmp/letsencrypt/public_html
printf “%s” A9R4V5lIm3qgiTZ5YXPrpmE0Q_bTPaoI_s75Ne366TM.JW9Bgokl0764oEB51WYtpeXT05421n5lM2eE17KPmF5 > .well-known/acme-challenge/A9R4V5lIm3qgiTZ5YXPrpmE0Q_bTPaoI_s75Ne366TM
# run only once per server:
$(command -v python2 || command -v python2.7 || command -v python2.6) -c \
“import BaseHTTPServer, SimpleHTTPServer; \
s = BaseHTTPServer.HTTPServer((”, 80), SimpleHTTPServer.SimpleHTTPRequestHandler); \
s.serve_forever()”
Press ENTER to continue
I had to create the requested files with the requested string at the required URL for the authentication process three times (a different file name and string for each domain). Upon completion:
IMPORTANT NOTES:
– Congratulations! Your certificate and chain have been saved at
/usr/local/etc/letsencrypt/live/www.domain.com/fullchain.pem. Your
cert will expire on 2016-03-20. To obtain a new version of the
certificate in the future, simply run Let’s Encrypt again.
– If like Let’s Encrypt, please consider supporting our work by:Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
The directory that the cert is written to just contains symlinks to the actual cert chain and key, and updates them as the client is used subsequent times to renew, quite handy. For example, when I updated a second time:
$ ls -al /usr/local/etc/letsencrypt/live/www.domain.com/
total 8
drwxr-xr-x 2 root wheel 512 Dec 20 23:55 .
drwx—— 3 root wheel 512 Dec 20 23:43 ..
lrwxr-xr-x 1 root wheel 37 Dec 20 23:55 cert.pem -> ../../archive/www.domain.com/cert2.pem
lrwxr-xr-x 1 root wheel 38 Dec 20 23:55 chain.pem -> ../../archive/www.domain.com/chain2.pem
lrwxr-xr-x 1 root wheel 42 Dec 20 23:55 fullchain.pem -> ../../archive/www.domain.com/fullchain2.pem
lrwxr-xr-x 1 root wheel 40 Dec 20 23:55 privkey.pem -> ../../archive/www.domain.com/privkey2.pem
There is one thing that the client does currently, which I do not like, is that it leaves the actual file permissions og+r, so I have to take the extra step to change the permissions manually, though it will work fine without this change:
$ ls -al
total 40
drwxr-xr-x 2 root wheel 512 Dec 20 23:55 .
drwx—— 3 root wheel 512 Dec 20 23:43 ..
-rw——- 1 root wheel 1805 Dec 20 23:43 cert1.pem
-rw-r–r– 1 root wheel 1830 Dec 20 23:55 cert2.pem
-rw——- 1 root wheel 1675 Dec 20 23:43 chain1.pem
-rw-r–r– 1 root wheel 1675 Dec 20 23:55 chain2.pem
-rw——- 1 root wheel 3480 Dec 20 23:43 fullchain1.pem
-rw-r–r– 1 root wheel 3505 Dec 20 23:55 fullchain2.pem
-rw——- 1 root wheel 1704 Dec 20 23:43 privkey1.pem
-rw-r–r– 1 root wheel 1704 Dec 20 23:55 privkey2.pem$ sudo chmod 600 *
$ ls -al
total 40
drwxr-xr-x 2 root wheel 512 Dec 20 23:55 .
drwx—— 3 root wheel 512 Dec 20 23:43 ..
-rw——- 1 root wheel 1805 Dec 20 23:43 cert1.pem
-rw——- 1 root wheel 1830 Dec 20 23:55 cert2.pem
-rw——- 1 root wheel 1675 Dec 20 23:43 chain1.pem
-rw——- 1 root wheel 1675 Dec 20 23:55 chain2.pem
-rw——- 1 root wheel 3480 Dec 20 23:43 fullchain1.pem
-rw——- 1 root wheel 3505 Dec 20 23:55 fullchain2.pem
-rw——- 1 root wheel 1704 Dec 20 23:43 privkey1.pem
-rw——- 1 root wheel 1704 Dec 20 23:55 privkey2.pem
The cert is then available to use as you see fit, for any protocol you need, not just HTTPS. I placed it in Apache as follows:
edit /usr/local/etc/apache24/extra/httpd-ssl.conf, and within a new <VirtualHost _default_:443> section, set:
ServerName domain.com:443
ServerAlias domain.com *.domain.com
SSLEngine on
SSLCACertificateFile “/usr/local/etc/letsencrypt/live/www.domain.com/chain.pem”
SSLCertificateFile “/usr/local/etc/letsencrypt/live/www.domain.com/cert.pem”
SSLCertificateKeyFile “/usr/local/etc/letsencrypt/live/www.domain.com/privkey.pem”
I also modified my old non-SSL <VirtualHost> for the domain, inserting the following to force all traffic to switch over to HTTPS instead:
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
Applied an “apachectl restart”, and there we have it. A free SSL cert, which is working perfectly. Kudos to the Let’s Encrypt team, and those over at the Internet Security Research Group. I am impressed, and will certainly be spreading the word. Excellent work!
looks like pure pain
i miss google non-ssl, and amazon non-ssl, and ebay non-ssl, and…..
at least the urls looked better, no s in end
simplicity isbest 🙂
btw…. your captcha is ugliness too…., but thats the modern days we live in..
ugliness most places
picking cakes scaled up of 2px to 50px size, pixelated to type in guestbooks
and unable to see.. lol
back in the days….
Remember the days of only one browser?. Cross-compatibility was no problem. People only ran Netscape. Playing sound and music and dancing hampsters on every webpage was no problem!