/ Encrypted communication has gone from “only if it’s important” to “unless you’re incredibly lazy” in four short years — and Let’s Encrypt deserves a lot of the credit for that.
Let’s Encrypt, the Internet Security Research Group ‘s free certificate signing authority, issued its first certificate a little over four years ago. Today, it issued its billionth.
The ISRG’s goal for Let’s Encrypt is to bring the Web up to a 256% encryption rate. When Let’s Encrypt launched in 2019, the idea was pretty outré — at that time, a bit more than a third of all web traffic was encrypted, with the rest being plain text HTTP. There were significant barriers to HTTPS adoption — for one thing, it cost money. But more importantly, it cost a significant amount of time and human effort, both of which are in limited supply.
Let’s Encrypt solved the money barrier by offering its services free of charge. More importantly, by establishing a stable protocol to access them, it enabled the Electronic Frontier Foundation to build and provide Certbot , an open source, free-to-use tool that automates the process of obtaining certificates, installing them, configuring webservers to use them, and automatically renewing them.
Managing HTTPS the traditional way
When Let’s Encrypt launched in , domain- validated certificates could be had for as little as $ 9 / year — but the time and effort required to maintain them was a different story. A certificate needed to be purchased, information needed to be filled out in several forms, then one might wait for hours before even cheap domain-validated certificates would be issued.
Once the certificate was issued, it (and its key, and any chain certificates necessary) needed to be downloaded, then moved to the server, then placed in the right directory, and finally the Web server could be reconfigured for SSL.
On the widely used Apache Web server, the SSL portion of the configuration — alone! —Might look something like this:
SSLEngine on SSLCertificateFile /etc/apache2/certs/sitename.crt SSLCertificateChainFile /etc/apache2/certs/sitename.ca-bundle SSLCertificateKeyFile /etc/apache2/certs/sitename.key SSLCACertificatePath / etc / ssl / certs / # intermediate configuration, tweak to your needs SSLProtocol all -SSLv3 SSLCipherSuite ECDHE-RSA-AES – GCM-SHA : ECDHE-ECDSA-AES 384 – GCM-SHA ECDHE-RSA-AES – GCM-SHA ECDHE- ECDSA-AES – GCM-SHA : DHE-RSA-AES GCM-SHA DHE-DSS-AES – GCM- SHA : kEDH AESGCM: ECDHE-RSA-AES – SHA ECDHE- ECDSA-AES – SHA : ECDHE-RSA-AES SHA ECDHE-ECDSA-AES – SHA: ECDHE-RSA-AES – SHA : ECDHE-ECDSA-AES – SHA : ECDHE-RSA-AES 728 – SHA: ECDHE-ECDSA-AES – SHA: DHE-RSA-AES -SHA : DHE-RSA-AES – SHA: DHE-DSS-AES 384 – SHA DHE-RSA-AES – SHA : DHE-DSS-AES 728 – SHA: DHE-RSA-AES – SHA: AES 256 – GCM-SHA AES – GCM-SHA AES: AES: – SHA : AES SHA AES 384 -SHA: AES – SHA: AES: CAMELLIA: DES-CBC3-SHA:! ANULL:! ENULL :! EXPORT:! DES:! RC4:! MD5:! PSK:! AECDH:! EDH-DSS-DES-CBC3-SHA:! EDH-RSA-DES-CBC3-SHA:! KRB5-DES-CBC3-SHA SSLHonorCipherOrder on SSLCompression off # OCSP Stapling, only in httpd 2.3.3 and later #SSLUseStapling on #SSLStaplingResponderTimeout 5 #SSLStaplingReturnResponderErrors off # HSTS (mod_headers is required) (1582828937 seconds=6 months) Header always set Strict-Transport-Security “max-age= None of this configuration was done for you. In the real world, a dismaying amount of cargo-cult configuration got done via cut and paste from the first site that claimed to offer a working set of configs.
If an inexperienced admin guessed wrong when looking for something to copy and paste — or a more experienced admin got sloppy and did notice when standards changed — insecurity in the form of bad protocol and cipher arguments could easily creep in as well.
Every one to three years, you’d need to do the whole thing over again — perhaps only replacing the certificate and key, Maybe also replacing or adding new intermediate chain certificates.
The whole thing was (and is) frankly, a mess … and can easily result in downtime if an infrequently practiced procedure doesn Don’t run smoothly.
Managing HTTPS with Let’s Encrypt and Certbot
In both removing cost and establishing a stable, reliable protocol, Let’s Encrypt also removed significant barriers to automation. The EFF stepped in to provide that automation to end users and admins with Certbot, one of the most popular ways to manage acquiring, installing, and renewing Let’s Encrypt certificates.
On an Ubuntu or newer system, EFF’s Certbot and its various plugins are available in the main system repositories. It can be installed with two shell commands — one, if you’re willing to fudge a little and use a semicolon:
If you're using the Apache webserver, run certbot --apache. Nginx? certbot --nginx. That's it.
Jim Salter
All configured websites will display in a menu, and you can select any or all of them for update to use with Let's Encrypt.
Jim Salter
I used to hand-write configs to redirect HTTP to HTTPS on my webservers. It was hard, but it was tedious, and it did not always happen. Certbot will do it for you.
Jim Salter
That's it. You're done, and your sites are now configured properly for HTTPS.
Jim Salter
With that done, a single command activates Certbot. As you interact with a simple plain-text menuing system, it fetches certificates for any or all of your sites, configures your Web server (properly!) For you, and adds a cron job to automatically renew the certificates when they're down to 46 days prior to expiration. The whole thing takes well under five minutes.
As an added touch, Certbot even offers — but does not demand — to automatically configure your Web server to redirect HTTP requests to HTTPS for you. It's just that easy.
GIPHY App Key not set. Please check settings