Set up a free https certificate for your web server by Let’s Encrypt

Improve your search engine visibility by moving to https connections!

Let’s Encrypt is a project aimed at making the internet safer, at least a bit. The means is to automate PKI certification creation to the point when the price drops to zero or at least close. Let’s Encrypt hands out their certificates for free, although donations (even small ones) are welcome. Google is encouraging https connections by ranking them higher in search results. Chrome browser has started warning about non-https sites.

If your web hosting provider supports Let’s Encrypt, start using it. Even if they don’t mention it on their pages, you can still ask why it is not supported. Especially if they have links for commercial certificate providers.

If you run your own servers you have to work little harder. The automation behind Let’s Encrypt means that there is no web user interface for the service. You need to have a script on the server that will install and renew the certificate automatically. EFF provides CertBot that makes this easy on most Unix-like operating systems. Installation and deployment depend on the OS and web server, but EFF’s web page has instructions for the most popular ones. There are several alternatives for Microsoft Windows.

In general you need to create a hidden directory .well-known on your web site, where the script will create a file for the duration of the transaction. This is how Le’ts Encrypt can verify that the request comes from the correct domain. This verification method can cause problems, because the domain on the certificate must be accessible from the internet by https. For example you can not get a certificate for an internal-only website like an intranet (at least without some extra steps) or non-http services unless they are on the same server as the http server.

The script will save the public and private keys on the disk. You can set the file path in script settings, but the default is fine as long as you add the full paths to your web server configuration.

The certificate will be valid for 90 days only, but thanks to the automated renewal you won’t notice when it is renewed. Let’s Encrypt recommends running the script twice a day to ensure smooth renewal. Most of the times the script will do nothing, so it does not tax your server.

The certificate on this site is from Let’s Encrypt. You can check it by clicking on the lock symbol in the address bar (or whatever symbol your browser uses).

Links:

Leave a Reply

Your email address will not be published. Required fields are marked *