Improving your website security through encryption, even on the most basic servers, can increase your visitors’ trust in your site and your ability to run it. Setting up encryption on your web host has generally been complicated and expensive, which often deters administrators who’s web applications might not depend on user input. Let’s Encrypt aims to change this by making implementing encryption on any website easier. They are an open and free project which allows obtaining and installing of certificates through simple, automated, commands.
Let’s Encrypt is a new Certificate Authority capable of issuing certificates cross-signed by IdentTrust, which allows their end certificates to be accepted by all major browsers. This guide outlines the steps for installing their client and how to use it to manage certificates on your cloud server running Apache2.
Getting the Let’s Encrypt client
Getting an HTTPS server set up can be a hassle. Let’s Encrypt aims to greatly simplify the task by automating obtaining certificates and configuring web servers to use them. The client is fully-featured and extensible for the Let’s Encrypt Certificate Authority, or any other CA that uses the ACME protocol, that allows managing certificates with simple commands.
The client is available through the project’s GitHub repository. If you don’t have git installed yet, you can get it with one of the two following commands depending on your OS.
sudo apt-get install git sudo yum install git
There is no need to configure git if you don’t require it for anything other than downloading repositories. Instead just change to the directory where you wish to put the Let’s Encrypt client into and fetch it with
git clone https://github.com/letsencrypt/letsencrypt
Then change into the newly downloaded directory
The certificate installation works using the letsencrypt-auto wrapper script provided with the client. It installs all of its own dependencies and updates the client code automatically, therefore you’ll need to run the client on an account with sudo privileges. Use the command below to see the accepted subcommands and flags.
Given that the help command works, you are ready to continue on with obtaining and installing a certificate.
Obtaining a certificate
Let’s Encrypt validates the domain it’s installed on similarly to a traditional CA process by identifying the server administrator via a public key. The client generates a new key pair when interacting with the Let’s Encrypt servers for the first time, and then aims to prove to the CA that the host has control over a particular domain by at least one of the two following ways:
- Provisioning a DNS record under the domain in question
- Provisioning an HTTP resource under a well-known URI on the domain
On top of one of the two challenges, the client also must sign a nonce with its private key to prove it controls that key pair.
To help the Let’s Encrypt client accomplish these tasks it supports a number of plugins that can be used to obtain or install certificates. For example, with Apache2 you can use the Apache plugin. First stop the Apache server while you install the certificate.
sudo service apache2 stop
The plugin automates both obtaining and installing certificates on an Apache web server. To use this plugin on the command line, simply include the flag –apache.
sudo ./letsencrypt-auto --apache
This starts the script in an interactive mode asking a couple of questions to setup the certificate correctly.
- If you don’t have a pre-existing configuration file, select Yes to use the default vhost and specify the settings manually.
- Enter the domain name hosted on the server you are installing the certificate on. If you have multiple domains on the same server, write them all here separated by a comma.
- On the first installation on any specific host, you’ll need to enter a contact email.
- Next, go through the Let’s Encrypt Terms of Service and select Agree if you accept the terms and wish to use the service.
- Then select whether you wish to use both HTTP and HTTPS or to require all traffic to use encryption by highlighting either Easy or Secure option and selecting OK.
- If everything worked correctly you’ll get a message that HTTPS was successfully enabled and a link pointing to SSL Labs test site.
You can now turn the Apache service on again and test it for yourself.
sudo service apache2 start
Open your domain in a web browser using https://<your domain>, when it loads the installation is working properly.
If you are having problems using the client script, make sure you are trying to register a domain or subdomain that currently resolves to that host. Also check that you have the administrative privileges to run the commands and that Apache service stopped correctly.
Renewing a certificate
At the end of the certificate installation script output, you’ll see the certificate’s expiration date which is usually 3 months from the day you installed it. Renewing a certificate is as easy as installing it again using the same values as before.
In almost all circumstances, renewal should be performed with the certonly subcommand after which reloading your web server configuration should be enough to deploy the renewed certificate, for example:
./letsencrypt-auto certonly --apache -d <domain names>
Then answer the questions the client asks to renew and replace the certificate and for which virtual host it’s installed on, 000-default-le-ssl.conf by default.
Once the renewal is complete simply reload your web service to update the configuration, for example with Apache server use the following command.
sudo service apache2 reload
Your certificate is now again valid for another 3 months.
Note that as Let’s Encrypt is still in development they’ve set certain rate limits for issuing certificates to protect the service against both accidental and intentional abuse. You can check further details and documentation at Let’s Encrypt community site.
Let’s Encrypt intends to provide renewal scripts later down the line to automate this process, but in the meanwhile, you can create your own along the lines of the example below.
#!/bin/sh if ! ~/letsencrypt/letsencrypt-auto certonly -tvv --keep --webroot -w <web root folder> -d <domain names> > /var/log/letsencrypt/renew.log 2>&1 ; then echo Automated renewal failed: cat /var/log/letsencrypt/renew.log exit 1 fi apachectl graceful
The example script runs the renewal while directing the output to a log file and then checks if it was successful or not, and finally reloads Apache to complete the renewal. Once your renewal script works, you can automate it with Cron job.
Revoking a certificate
If you wish to remove a certificate from your server it can be revoked using the subcommand with Let’s Encrypt client. The command below can be used to revoke a particular certificate. Replace the <domain> in the command with the domain which certificate you wish to revoke.
./letsencrypt-auto revoke --cert-path /etc/letsencrypt/live/<domain name>/cert.pem
The process won’t give a confirmation upon completion, but if you perform it again you’ll get a message that the certificate has already been revoked.
In most cases simply installing and renewing your certificates as instructed above are enough, but the Let’s Encrypt client also supports some additional plugins for managing your certificates. For example, if you do not want to shut down your busy web service while installing a new certificate you can use the Webroot plugin with certonly and –webroot on the command line.
This guide focuses on installing the certificate using the Apache plugin, though Let’s Encrypt also works just as well with other web servers software. Nginx setup automation is currently experimental and the plugin is not installed with letsencrypt-auto script, but Let’s Encrypt can still be used to install certificates manually on servers running Nginx. Check out our other guide for How to Install Let’s Encrypt on Nginx. You can also find out about other supported options in the documentation for Let’s Encrypt.