Let’s Encrypt, that & rsquo; is it therefore ?

Let’s Encrypt is a certification authority issuing X.509 certificates in order to use TLS encryption on websites (via https addresses).

It was founded by’EFF, the Mozilla Foundation and’University of Michigan.

Its interest is that & rsquo; it delivers the certificates for free, that & rsquo; they are recognized by the browser (certification authority) and that the process of & rsquo; obtaining / installing these certificates is, largely, Automated (fully automated if performed directly on the server. Additional steps are to do if performed on a different server).

Let & rsquo; s Encrypt is currently in public beta since 3 December.

How to have a certificate ?

Currently, to obtain a certificate of & rsquo; an authority, must d & rsquo; first generate a public-private key, then generate a Certificate Signing Request. Send it to a certification authority and after validation, it sends back a certificate. You must then install this certificate on the server so you can finally use an encrypted connection.

Avec Let’s Encrypt, obtaining and installing certificates is quite simply. In summary, simply retrieve customer letsencrypt, available on Github, and with a single command line, generating (and if the server is installed on the same machine) a certificate for one or more domains. No need to own or manage key / requests, l & rsquo; implementation does everything automatically.

Get the customer is via a git :

git clone https://github.com/letsencrypt/letsencrypt

Then just start letsencrypt self-control with good parameters to generate / install the certificate. For more details, see the online manual : https://letsencrypt.readthedocs.org/en/latest/using.html

You can also run the following command to display all available commands, Once recovered Customer :

./letsencrypt-auto --help all

It should be noted that, during the public beta, restrictions are in place to limit abuse :

  • Limited to 10 records IP, all the 3 hours.
  • Limited to 5 Domain Certificates, in a window 7 slippery days.

More details on the beta here : https://community.letsencrypt.org/t/beta-program-announcements/1631

And for shared ?

For those who, like me, use a shared host, l & rsquo; obtaining and certificate installation is a bit more complex than running a simple command that will automate all because the server n & rsquo; is not on the same machine and you don & rsquo; have not necessarily access to a remote shell. Here's how to get your certificate and & rsquo; install on your shared hosting (in my case, it is managed over a cPanel).

  1. Get the customer letsencrypt.
  2. Go to letsencrypt folder and run the following command (you can specify multiple domains by specifying several times the & rsquo; d option) :
    letsencrypt-auto certonly -a manual --server https://acme-v01.api.letsencrypt.org/directory -m <your email> -d <your domain 1> -d <Your Domain 2> ...
  3. Let & rsquo; s Encrypt then asks you to confirm that your IP will be recorded as having requested that the certificate for that domain.
    letsencrypt_valid_ip
  4. Once validated, the program will ask you to create files to specific locations on your server.
    letsencrypt_valid_file
    You will need to create the folder <your domain>/.well-known/acme-challenge/. At & rsquo; inside thereof, it will create a file whose name and content is provided by letsencrypt (URL indicates the file name and the line below the content of it).
    Note that the files must be delivered by the server with a Content-Type text / plain. For that, create a .htaccess file in the acme-file and put this challenge to the & rsquo; inside

    DefaultType text/plain

    To check if c & rsquo; is good, type the & rsquo; URL of the file requested by letsencrypt (after & rsquo; have created) in the browser. This should display the content (and not offer to download).

  5. Made “Enter” on letsencrypt. L & rsquo; step 3/4 will be repeated as many times as you specify fields in the command line.
  6. After a few seconds, letsencrypt notify you that the creation of the certificates has ended and they are available in the / etc / letsencrypt / live /<your domain 1> (has noted that this file actually contains symlinks, and not the actual file name).
    letsencrypt_success
  7. Connect now to your cPanel, go to the Security section -> SSL / TLS and select “Manage SSL Sites”.
  8. You must, on this page, specify the domain to which s & rsquo; apply the certificate, your private key (privkey.pem), your certificate (cert.pem) and the certificate of & rsquo; CA. (chain.pem).
  9. Once the data information, validate and normally, if everything is ok, the certificate is installed and your domain can now be accessed via https.
  10. The files placed in the folder acme-challenge can also be deleted because it will no longer be used, but keep the folder as it will when renewing the certificate.

To renew the certificate, simply restart the same command (with the same areas). Let & rsquo; s Encrypt ask you if you want to renew your certificate.

letsencrypt_renew

After confirmation, we redo the same procedure as before (from the & rsquo; step 3). Note that the certificates expire after 3 month (90 days). The reason for this rather short time is explained in a note du blog de Let&rsquo;s Encrypt (English).