Let’s Encrypt is a new Certificate Authority, Free, Automated and Open. A real revolution nowadays on how we implement SSL to our websites.
Few years ago, I explained how to add SSL certificates to your websites, Basically, you had to create your own SSL certificates, that was never recognized by the web browsers (And thus displaying a naughty notification), or you had to purchase a certificate that was certified. And finally, you add to configure your virtualhosts with the certificates.
But let’s encrypt have made it easy and is being recognized by most of the web browsers now (No more warning message, yeah !!). They are being sponsored by several important companies or foundations, like Mozilla, Cisco, OVH, Internet Society, etc… and is in active development.
I’ve been using the certificates from them for few months now on various services and it works great ! And here is how to add SSL to your website using Let’s Encrypt.
We will got for the automated installation that should meet most needs. If not, you can always get your hands dirty :p
Assuming you are using Debian/Ubuntu style of distribution
1) Install Cerbot
Cerbot will basically do everything and is available for most distribution. If like me, you are on Debian 8, you will need to add the backports repo to your source.list to install Cerbot (No need if you are running Debian 9).
In root (or with sudo), simply run:
apt-get install python-certbot-apache -t jessie-backports
If you are using a different version of Debian or linux flavor, you can have a look to the official documentation.(Pretty straightforward).
2) Obtain and install a certificate
If you are using Apache, the configuration is very simple. You just need to run the following:
A menu will popup and basically, you just need to tell for which virtualhost you want to configure the SSL and if you want to force using SSL only. (redirection).
Once done, certbot will update your virtualhost with the appropriate configuration.
Just reload your apache configuration and you are good to go !
service apache2 reload
3) Automatic renewal
For the moment, Let’s Encrypt certificates last for 90 days only, so you need to regularly renew them. The easiest way is to add a crontask, running every days to renew it. In fact, it won’t do anything until your certificates are due for renewal, so the project even suggest to run the cron job twice a day.
So in your crontab, (in root)
you will need to add this line:
<pre class="">0 0 * * * certbot renew --quiet
for the cron to run every day at 00:00
(feel free to change it).
And that’s it, you are now using a robust and trusted SSL certificate for your websites.
If you are interested to know which features is coming, simply check this page.
Thank you Let’s Encrypt