calum.org:~#

Let's Encrypt

Tags: linux, howto, apache, ssl, https, web, lets encrypt, crypto, encryption,

Added: 2015-12-05T15:20:10

Let's Encrypt

One of the main problems with SSL adoption is the cost of SSL certificates. Let's Encrypt aims to allow everyone to obtain SSL certificates for free.

They would prefer you to run a script, as root, which will obtain the certificate, and update your webserver config files.
I'm sure it works very well, but that sort of thing makes me a bit twitchy. I prefer to run it in the certonly mode, which doesn't munge config files.

git clone https://github.com/letsencrypt/letsencrypt
cd letsencrypt
./letsencrypt-auto certonly --webroot -w /home/domain.tld/site/ -d domain.tld -d www.domain.tld
This will generate a 3 month certificate, and save it in /etc/letsencrypt/live/domain.tld/
If you have a problem with authentication, it might be that you haven't allowed Apache to serve up the small file it adds to $webroot/.well-known/acme-challenge/$randomfile in order to prove that you own the domain.
<Location /.well-known/acme-challenge>
  Allow From All 
  ProxyPass !
</Location>

You can then set your Apache site config to load the keys from that location.
<VirtualHost *:443>
SSLCipherSuite DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA
SSLEngine on
SSLCertificateFile    /etc/letsencrypt/live/domain.tld/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/domain.tld/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/domain.tld/fullchain.pem

ServerName domain.tld
DocumentRoot /home/domain.tld/site
....
Restart/reload Apache, and you should be rocking and rolling, SSL style.
If you want to use name-based virtual hosting on SSL, remember to enable it with
NameVirtualHost *:443
SSLStrictSNIVHostCheck off
Set up a cronjob to obtain a new certificate every 2 months (and I'm guessing Apache needs restarting in order to pick up the new certs), and you're golden. Head over to https://www.ssllabs.com/ssltest/ and make sure that your SSL config is decent - you should be aiming for a B at least.

calum.org isn't currently using Let's Encrypt certificates, but it won't be long.

One thing I'm not sure if they support is internal websites (i.e. intranet style ones) that aren't connected to the public Internet.

posted by Calum on 2015-12-05T15:30 under

Add a comment

Your IP:
Please enter 2495971 here: