in Internet, Security

LetsEncrypt in Apache on Ubuntu

I heard about LetsEncrypt not long after its launch in April 2016. They describe themselves in their blurb thusly:

“Let’s Encrypt is a free, automated, and open Certificate Authority.”

Sounds great. What does that mean?

The downsides of using SSL certificates are the non trivial amount of bureaucracy and technical management involved. Traditionally, certificates cost money, require complex web server configuration, a process to validate domain ownership as well as the need to perform many of these tasks again for renewal before the cert expires.

Let’s Encrypt aim to make the process so simple, so automated and so free that the barrier to people enabling SSL on their sites is removed. Let’s see how good it is.

Where most CAs have websites for uploading Certificate Signing Requests, validating Domain Ownership and downloading the resulting certificates and keys, Let’s Encrypt provide a simple tool that can be installed on your webserver. This performs multiple functions – requesting certificates, automatically validating ownership of the domain and installing the certificate into supported web servers. It’ll even renew the certificates for you if you schedule the command – handy since their certs have a three month expiry by default.

Durdle.com is hosted on a Digital Ocean “Droplet” – a low cost virtual server running Ubuntu. I think they’re backed by Amazon’s AWS, so technically I could be doing this myself on Amazon, but Digital Ocean have done a great job of hiding the AWS complexity and presenting a highly functional and intuitive control panel.

The team at Digital Ocean were helpful enough to put together a guide to using Let’s Encrypt on their platform. This was tremendously useful, walking me through the three steps needed to get up and running. I have genuinely spent more time writing this post than I did getting Let’s Encrypt working on Durdle.com. The steps are so simple:

Install the certbot-auto tool and make it executable:

cd /usr/local/sbin
sudo wget https://dl.eff.org/certbot-auto
sudo chmod a+x /usr/local/sbin/certbot-auto

Issue the request for the certificate:

certbot-auto --apache -d durdle.com

You can add further -d parameters for additional subdomains but should put the base domain first.

After the dependencies are installed, the tool shows a step-by-step guide to customise the certificate options. You enter an email address for lost key recovery and notices, and can choose between enabling both http and https access or force all requests to redirect to https. I redirected all traffic to https.

At this point, assuming standard installs of Apache and the required libraries, your site will be active on https with the new certificate. If you check the details of the cert you’ll see it is due to expire in three months, so we need to automate renewals to eliminate the final fiddly step of traditional SSL.

Renewing the cert is as simple as running:

certbot-auto renew

Running it immediately won’t do anything as the cert doesn’t need to be renewed. We can schedule it to run regularly with cron to make sure the renewal occurs before expiry. Edit crontab:

sudo crontab -e

And add this line to run the renewal every Monday at 2.30am:

30 2 * * 1 /usr/local/sbin/certbot-auto renew >> /var/log/le-renew.log

Done! The certbot-auto tool even deployed some best practice SSL options to the Apache configuration, resulting in an A rating on the SSL Server Test at SSL Labs.

Finally, if you make use of LetsEncrypt at all, and you have the means (which lets face it you almost certainly do) you’d do well to donate to them to support the effort. I’ve given them the amount I would have spent on StartCom’s annual validation fee. Well worth it.