yaakov.online

yaakov.online


I fight with computers

Switching to Let's Encrypt

Setting up a website nowadays is a very easy process (compared to last decade), but SSL/TLS is still typically a pain in the rear end. It's also expensive, costing typically anywhere from $10/year upwards for a certificate, per domain.

Let's Encrypt is a free and automated Certificate Authority that launched earlier this year with the goal of being a Certificate Authority that people can use to secure the internet, rather than being a Certificate Authority that investors can use to make money.1

A noble goal, indeed.

I tried using Let's Encrypt about a year ago - the last time my certificates expired - but it wasn't ready just yet. Now, after many months in beta, and with backing from some of the biggest names of the internet, it's finally in a position where I can use it.

Using it with their recommended client certbot is surprisingly easy. All I had to do was follow their instructions, with two caveats that make sense, but that I didn't think of in advance.

certbot writes out a challenge file to http://your-site/.well-known/some-randomish-filename, then the Let's Encrypt servers verify it, in order to prove ownership of your website.

Thus, your web servers need to allow access to .well-known. If you, for example, (transparently) redirect all requests to /index.php?path=$original_path or something like that, you need to add an exclusion (or a separate rewrite rule) so that the Let's Encrypt servers can read the challenge file.

Likewise, if your site redirects all HTTP traffic to HTTPS, your HTTPS certificate has already expired, and you're behind Cloudflare, you'll get a 5xx error2 instead of the .well-known contents. (I don't know what happens if the Let's Encrypt servers get a invalid SSL/TLS certificate when verifying.)

I got expiration warnings for my old certificates on Friday, and within 30 minutes I had migrated all my domains over to Let's Encrypt. By adding certbot-auto to crontab, I've also now ensured that I no longer have to spend time every year battling with certificates. My usual flow was as below, for each subdomain:

  1. Generate a new key
  2. Generate a certificate signing request
  3. Upload the certificate signing request to a Certificate Authority
  4. Pay the Certificate Authority money, or in the case of StartCom which is free, spend ages waiting for each page to load and battle with their weird management portal.
  5. Download the new certificate
  6. Download the Certificate Authority's certificate chain
  7. Create a certificate chain starting with the top intermediary certificate and ending in my shiny new certificate
  8. Upload my new certificate chain and key to my web server
  9. Restart/hot-reload the web server process

My new flow is:

  1. Do nothing and let automation take care of everything.

Spending those 30 minutes in order to never have to do certificate renewal again is probably the best time investment I've ever made.

  1. OK, I've paraphrased somewhat here.

  2. I don't recall exactly which error code it is.