I just moved my web server’s SSL/TLS certificates to Let’s Encrypt and I am positively surprised how relatively easy it was.

In all honesty, it started as a simple “Hullo! What’s this all about?” and after toying with it a bit, I decided to simply use it to replace all my CAcert.org and StartSSL certificates.

For those who have not heard yet, “Let’s Encrypt is a new Certificate Authority, [which] is free, automated and open” run by Internet Security Research Group as a Linux Foundation Collaborative Project with many big name supporters.

Basically they are trying to substitute going through the yearly chore of logging in and filling in online forms on a traditional CA’s website every year for every domain you own and in the process even pay for the service. What they came up with is an automated system where you get everything done in a matter of minutes (seconds?) from the CLI and even renew simply with a cronjob.

After fumbling about a bit and asking for help on #nginx the wonderful FinalX suggested that I follow John Maguare’s tutorial and even suggested how to tweak it in order to fit my system. That worked pretty well ☺

Caveat (in 0.1.1):

  • the web server automatic set-up currently works only for Apache, but Nginx is planned next – you can still use it to generate keys for any web server regardless and write the web server config by hand (never a bad idea);
  • if it is not packaged in your distro, you can expect some twiddling to set it up – the official source package does have an auto-install command, but currently it supports only a few distros;
  • the current version is actually called 0.1.1-corrected, which probably caused problems with some distros (e.g. it did for Gentoo);
  • it does not support domain wildcards – but you can always extend your cert with additional domains, so no biggie;
  • it does not support international domain names yet;
  • yes, it is beta, but as Roland Bracewell Shoemaker explained in his “Let’s Encrypt – What launching a free CA looks like” talk at the 32C3, they are aiming at a long beta period, similar to the one Google used for GMail.

hook out → sniffling due to cold

Related Posts