No more HTTP: implementing Let’s Encrypt certificates

Once upon a time, SSL certificates were expensive, and getting them required multiple days of lead time.

Signing authorities have improved in both areas (i.e. cost and turnaround), but Let’s Encrypt has taken it to a whole new level. Their free certificate service moved out of beta earlier this year, and with my one-and-only SSL certificate coming due for renewal, I thought I’d take it for a spin.

Let’s Encrypt issue 90-day certificates (commercial authorities typically offer 12-24 month certs), so their service is designed to be consumed by automatic certificate management software rather than end-users. This means there’s no user-facing front-end – another departure from traditional CAs.

You’d be forgiven for thinking all of this sounds terribly complicated, but with certbot, it couldn’t be much easier (assuming you’re running your own server). You just download and run the certbot-auto script and follow the instructions. In my case, as an Apache user, getting this blog running on HTTPS was as simple as:

$ certbot-auto --apache -d lkrms.org,www.lkrms.org,arms.to,www.arms.to,lukearms.net,www.lukearms.net

This command looked after reconfiguring, testing and reloading Apache. Then I dropped the following into /etc/cron.d/certbot:

42 2,14 * * * root /usr/local/bin/certbot-auto renew --quiet --no-self-upgrade

Now, as my Let’s Encrypt certificates expire (or are revoked), they are automatically renewed. Twice daily.

Suck on that, NSA / metadata retention agencies / ASIO / AFP.

NO DATAS FOR YOU.