Let's Encrypt!

I’ve been meaning to add SSL certificates to my domains for quite a while now, but the work required has always been slightly too much for it to be worth it, especially on sites which don’t serve any information which needs to remain confidential. Let’s Encrypt’s chief selling point is the ease with which it promises SSL certification, and coupled with Google’s recent announcement that it will soon visibly shame HTTP-only sites, I thought it was finally time to certify the websites I run.

I run quite a conventional Apache setup, and I found the Let’s Encrypt process as seamless as the website promises, with some caveats. For the majority of sites, it really was just a matter of cloning the repository and then running letsencrypt-auto --apache and following the instructions.

The issues I ran into were fairly minor:

  1. A known bug when generating nonces. This bug was fixed overnight, and was only a minor annoyance in the process of generating the certificates.
  2. letsencrypt-auto won’t touch Apache .conf file containing multiple VirtualHosts. I’m not entirely sure why this is. This means that while you will get a certificate, you will have to set up Apache to use it manually.
  3. letsencrypt-auto similarly won’t touch Rewrite rules if there are already some defined. This isn’t as surprising, and I would rather the program be cautious than clobber existing definitions; you will need to modify these yourself.
  4. When modifying .conf files the program doesn’t seem to care about existing indentation, which I found visually grating.

If the program doesn’t run into any issues, it will generate the certificates and modify your configuration files to set up the new site. Optionally, you can tell it to redirect all HTTP requests to HTTPS, in which case it will add the following Rewrite lines:

RewriteEngine on
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]

Overall, I’m quite happy with the process, which was much less involved than certification I have set up previously. Certificates are generated with 90-day validity, which means that you will have to either automate their renewal (possible as explained on the How It Works page linked above) or simply set up a reminder. Given that the certificates are free, and HTTPS-only is looking likely to be the standard for the internet soon, it’s well worth adding.

Written by Feroz Salam on 29 January 2016