Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
LetsEncrypt - Free Domain SSL Certificates
#1
In 2015 a new non-profit Certification Authority (CA) was founded by a group of companies (better known ones are Mozilla, Cisco, etc) and they set-up an automated service called LetsEncrypt. It is free for everyone, personal and commercial use.

Everyone can self-issue their own certificate and many people do this, mainly for mailservers. When accessing a domain with self-signed certificate your email or web client will popup a warning and you can create a temporary or permanent exception. This will have to repeat on every computer. The certificate from known CA will not popup a warning.

There are 3 levels of certification:
  • DV - domain validation - the CA only verifies that certificate requester controls the domain.
  • OV - organization validation - the CA verifies that organization controlling the domain really exists.
  • EV - extended validation - there is more checks here and it includes insurance against fraud. That means if you get scammed by website with a "green bar" you can claim your money back from the people who issued certificate for that website.

The certification "industry" has grown into billions. The cost of "green bar" EV certificate starts at approx $200/yr. In known history there was never an insurance payout, it's almost like license to print money, to make value out of nothing. I had EV certificate, went through several iterations with notary to verify everything about me. It did not do squat for webstore performance. If I lost one 2-3 sales, I cannot really measure 2-3.

In reality, the certification is good if you are dealing with total stranger out of nowhere. Reputation is worth more than certification. Example: would you hire a A) certified electrician or B) electrician recommended by your friend?


LetsEncrypt can only issue DV certificate, and this is automated by setting up temporary HTTP server that is automatically verified from them. Any OV and EV certificates will require either a notary validation and/or government issued document and human intervention. The certificate is for 3 months and can be automatically renewed from CRON say monthly, it only takes few seconds of downtime (shut down webserver, run renewal, restart webserver).

Here is information on how to use the service: https://github.com/letsencrypt/letsencrypt
Reply
#2
3 months seems like more of a pita than anything else. most paid certs are 1-2yrs minimum and you can buy more. I self sign mine for 10yrs.

if you have a lot of domains it really is a pita on its own. you can also get the multiple subject certs now that cover a bunch of domains but they are complicated to administer too if you are hosting or if you add and delete domains from them.

Personally I just rely on certificates for encryption, not authentication anyway, if it was too much money to lose I just wouldn't spend it that way unless I already trust the company. ( I find most people don't understand the difference in the first place and hence the freaking out over expired or cross domain issues).
--------------- ---- --- -- -  -
If things weren't meant to be modified, they would not come with wires attached.
Reply
#3
(2016-02-09, 01:53 PM)jon Wrote: 3 months seems like more of a pita than anything else. most paid certs are 1-2yrs minimum and you can buy more. I self sign mine for 10yrs.

Jon, you probably did not read my whole rant, you can automate the renewal through CRON. If you have lots of domains you can also automate sign-up.

(2016-02-09, 01:53 PM)jon Wrote: Personally I just rely on certificates for encryption, not authentication anyway, if it was too much money to lose I just wouldn't spend it that way unless I already trust the company. ( I find most people don't understand the difference in the first place and hence the freaking out over expired or cross domain issues).

Copy that. My website had expired cert just for one day and people were emailing me. WTF changes in one day of certificate expiration?

The whole industry is warm fuzzy because anyone who wants to scam people can just get a junkie with government ID, pay him $100 and get all notarizations, incorporation documents, and get nice shiny brand new EV certificate. Someone in California confirms they seen the documents and voila ... new multi-million dollar iPhone discounter. Sell couple legitimate ones for a month, then make huge discount sale and within a week when people find out nothing is mailed, bye bye
Reply
#4
I agree just a single domain cert is cron'able, but when you are managing hosting for many domains even the yearly thing gets to be a pain.

gets way more complex when you have less ips than certificates.
--------------- ---- --- -- -  -
If things weren't meant to be modified, they would not come with wires attached.
Reply
#5
I disagree.

For example multiple certs per single IP in Apache:

Code:
<NameVirtualHost *:443>

<VirtualHost *:443>
ServerName www.yoursite.com
DocumentRoot /var/www/site
SSLEngine on
SSLCertificateFile /path/to/www_yoursite_com.crt
SSLCertificateKeyFile /path/to/www_yoursite_com.key
SSLCertificateChainFile /path/to/DigiCertCA.crt
</VirtualHost>

<VirtualHost *:443>
ServerName www.yoursite2.com
DocumentRoot /var/www/site2
SSLEngine on
SSLCertificateFile /path/to/www_yoursite2_com.crt
SSLCertificateKeyFile /path/to/www_yoursite2_com.key
SSLCertificateChainFile /path/to/DigiCertCA.crt
</VirtualHost>

Automatic cert renewal:

Code:
for d in $DOMAINS
do
echo "Running letsencrypt for $d"
letsencrypt --standalone --standalone-supported-challenges\
  http-01 --agree-dev-preview --agree-tos --renew-by-default\
  --server https://acme-v01.api.letsencrypt.org/directory\
  --email $EMAIL -d $d certonly
ec=$?
echo "letsencrypt exit code $ec"
if [ $ec -eq 0 ]
then
  # For haproxy, you need to concatenate the full chain with the private key
  cat /etc/letsencrypt/live/$d/fullchain.pem /etc/letsencrypt/live/$d/privkey.pem > /certs/$d.pem
  # For nginx or apache, you need both separate files
  # cp /etc/letsencrypt/live/$d/fullchain.pem /certs/$d.pem
  # cp /etc/letsencrypt/live/$d/privkey.pem /certs/$d.key
fi
done

https://github.com/Iteam1337/docker-letsencrypt-cron
Reply
#6
The configuration above only works with some browsers and only on fairly recent apache's, the multisubject is more accepted but harder to setup, and still does not work with all browsers.

When you are managing your own sites you get to make the call if "some" is enough, but if you are working for someone else, even one not supported and they will complain so it becomes a non-option.

Its just like ip6 - yeah its a solution to the address space limits - will it ever actually become the standard ?
--------------- ---- --- -- -  -
If things weren't meant to be modified, they would not come with wires attached.
Reply
#7
They changed the automation process a little, now calling it certbot instead letsencrypt

This works for wheezy and squeze (tested):

Code:
sudo wget https://dl.eff.org/certbot-auto -O /root/certbot-auto
sudo chmod a+x /root/certbot-auto
sudo /root/certbot-auto

It may take several minutes for last command to complete.

Renewal can be automated by adding following line to root's crontab:

Code:
15 1 1 * * service apache2 stop; /root/certbot-auto renew --quiet --no-self-upgrade; service apache2 start

The line above will automatically renew all apache websites certificates at 1:15am on the first of the month. There will be a brief outage as the apache has to be stopped to release port 443. The bot is smart enough to identify live servers via "ServerName" directive in Apache config files so if you do not have ServerName, add it in.
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)