There are many reasons to run a website with an SSL/TLS certificate (we won’t dive too deeply into them in the post). In the past they weren’t as accessible as they are now though, with the cost of a certificate varying immensely. Do you want to pay for a certificate, became a question you could ask when StartSSL began issuing free certificates. They have, however, had suspicion around their safety from time to time.
Now there’s a new kid on the block, Let’s Encrypt was a project released in 2015 which allows users to interact with the certificate issuer in a completely automated fashion. Because of this, certificates are free and readily available. They have also built a command line utility to make the process as simple as they could. Because of the way in which they work, they are classed as an ACME – Automated Certificate Management Environment – the first of their kind.
In this article we will be running through how you can setup Let’s Encrypt on an Ubuntu 14.04 machine running with an Apache server. You will need server access for this to work and we’ll be using a Digital Ocean droplet in our example.
To install Let’s Encrypt we’ll pull the latest copy from GitHub. To this we will need to make sure we have git installed first. We will then clone the repository directly into our /opt/ folder.
sudo apt-get install git
git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt
It really is as simple as that. If you ever want to update, you can pull a fresh copy using git into the same location.
Getting a Certificate
To generate your first certificate, we’ll navigate into the /opt/ folder where we recently installed Let’s Encrypt. Once we’re in the directory we’ll then use the letsencrypt-auto command, telling the command that we’re using an Apache server and listing any domains with the
-d option. If you’re using a domain with the www prefix, it’s generally a good idea to use both the root domain and the www domain, as we’ve done below.
./letsencrypt-auto --apache -d example.co.uk -d www.example.co.uk
At this point, you server be primed and serving on https (yes it’s that easy). But, we’ll just quickly look at renewal.
Renewing the Certificate
Renewing your certificates is actually very important when using Let’s Encrypt because each certificate has an expiry date 3 months in advanced – compared with a year or more often found with bought certificates.
You have two options when it comes to renewal, you can either use the same letsencrypt command or you can use a handy script made by firstname.lastname@example.org. We’ll be using the latter.
Firstly, we’ll pull the script and make it executable. Then we can test it by running the script with our domain we used earlier (except we only need to mention the root domain this time).
sudo curl -L -o /usr/local/sbin/le-renew http://do.co/le-renew
sudo chmod +x /usr/local/sbin/le-renew
sudo le-renew example.co.uk
Once we have this working, it’s a simple case of making a cron job (scheduled task) for it to run periodically. To do this, we’ll run:
sudo crontab -e
… and we’ll add this line to the bottom:
0 4 * * 1 /usr/local/sbin/le-renew example.co.uk >> /var/log/le-renew.log
This will run the renewal every monday at 4am, it’s ok to run the script this regularly because it won’t actually renew until the expiry is within a month of expiring. It will also log any activity into the
/var/log/le-renew.log file if you’re curious as to how it’s getting on.
This should be all you need to get started, if you have any comments/suggestions, let us know in the comments.
Photo by B. Lee