Let's Encrypt the internet
Written on Fri, 20 May 2016Every website should have https option. In fact, it should be the default. But how many times have we seen that https cert costing a lot, and even the free certs require 30 days regular renewal. Some offer 90 days renewal, but that's aside the point. Certs require maintenance.
But we can thank Internet Security Research Group, a public benefit corporation, for providing the internet with free and hassle-free certificates. ISRG is sponsored by many organisations, from non-profits to Fortune 100 companies. A full list of sponsors can be found here.
Important
One important thing to note is that this is not Extended Validation(EV) certificates. EV certificates can be obtained from Comodo. These certificates require additional verification beyond the technology, which is why it's particularly important if you want to conduct online transactions. Your customers need to know that the website(YOU!) they are transacting with, is trusted.
Alright, so let's get started to install certs for our web servers. If you had followed my tutorial on setting up a web hosting site, this tutorial is exactly for you. If you had set up your own web server under different configuration, the tutorial here should still apply to you for most part. For more information, you can go here to find a specific instruction for your build.
By the end of this tutorial, you will have:
- certbot installed
- All sites in your server instance to have https enabled, if you didn't proceed to revoke.
- All Certificates installed will automatically renew every 90 days.
- Bonus: If you have piwik installed from previous tutorial, you can force SSL on it.
What you need:
- You need to have a web hosting site already running. You can follow my tutorial on setting up a web hosting site to get you started.
- Some linux knowledge
Installation
Let's start with installing the certbot to Ubuntu 16.04. SSH into your server. All commands are done on root account. Prepend sudo if you are not in root account.
apt-get install python-letsencrypt-apache
Automated installation
Let's run the installation programme:
letsencrypt --apache
On the first screen, it will prompt you for which sites you would like to install certs to. Choose all that you want to. As for me, I picked all my sites.
Next, you have to enter your email address.
Be sure to read all the legal terms and conditions of usage before you proceed to install the certificates. Especially the rate limits. If you agree, just select agree on your SSH console.
Now it's going to prompt you whether to set https as the only connection or allow both http and https. For me, I prefer to use both and instead leave it to individual application to redirect to https. Choose the option which you prefer.
That's it for the installation. You are set to use https. You can verify your ssl is working with https://www.ssllabs.com. Your Certificate will also last you 90 days. It's also a good idea to regularly backup /etc/letsencrypt folder.
In case you can't connect to https, be sure to check your aws security groups and allow port 443 to your instance.
Automated Certificate Renewal
Since your certificate will only last you 90 days, you need to regularly renew your cert. Now, here's the part where Let's Encrypt does magic better than most other free certificate providers. It will automatically renew for you, which is as good as a permanently free service.
Let's do a test run on certificate renewal to see if any errors occur:
letsencrypt renew --dry-run --email [YOUR-EMAIL] --agree-tos
Make sure you clear away any errors if you encounter any.
If there is no error, you can proceed to set automatic renewal through cronjob:
crontab -e
Add the following to the cronjob entries:
30 */12 * * * letsencrypt renew --email [YOUR-EMAIL] --agree-tos
This will run the renewal twice every day, recommended by their documentation. It is advisable that you run the renewal process on a random minute. I guess this is to ease their server load for being hit by renewal request when the clock strikes a particular minute.
That's it! You now have a permanently free SSL cert for all your websites. If this service has benefited you, do consider a small donation.
Revoking a certificate
If you ever need to revoke a certificate, here's how you can do it:
letsencrypt revoke --cert-path /etc/letsencrypt/[path-to-your-cert]
If your cert is placed elsewhere, do modify the path accordingly.
Your cert will no longer authenticate with the Certificate Authority after awhile. That's it.
Conclusion
This is by far the easiest way to install certificates I've ever experienced. It practically does everything for me. I don't even need to know how to generate keys, or configure anything on Apache. It just works.
Great job, Let's Encrypt
Bonus: Force SSL for Piwik
Did you follow my tutorial on Piwik Installation? If you did, you can force Piwik to use https everytime. It's highly recommended that you do so, so that you can protect your login credentials from being in the clear during transaction.
Browse to your piwik installation configuration folder
cd [path-to-piwik-installation]/config
Edit the config.ini.php
nano config.ini.php
Add the following under [General]: (or edit the line if the settings already exists)
[General]
force_ssl = 1
That's it! Your Piwik installation will now use https whenever it is browsed. You have made your site secure and the internet a little bit safer.
