Setting up HTTPS with a free SSL-certificate from Let’s Encrypt.

A friend of mine recently visited this website, and not being much of a tech-person, suddenly asked in a suspecting voice: “Why does Chrome say your site is not secure?”
I was caught a bit off guard by this, and it took me a while to realize that it’s because my site is missing an SSL-certificate.

You can read a more technical (and objectively better) explanation regarding the SSL/TLS-protocols here, but the nutshell-version is that these protocols work as an extension to HTTP, encrypting the traffic in order to make it secure, therefore turning it into HTTPS, or HTTP over TLS/SLS.

The Certificate itself is just a small data file that digitally binds a cryptographic key to a domain/webserver.

While a simple Google-search on the subject reveals that many different companies are quick to try and sell you one of these certificates, there is also an alternative.
Let’s Encrypt is a global, nonprofit Certificate Authority (CA) with an impressive track record. Their mission is “to create a more secure and privacy-respecting Web by promoting the widespread adoption of HTTPS.”
Sounds good to me, let’s try it out!

Installing ACME client

Let’s encrypt recommends installing the certificate using Certbot.

Right on the frontpage there’s a nifty little system that asks what software/operating system combo you’re using, and provides an installation guide based on your answers.
(e.g. im using Apache running on Ubuntu 18.04)

First, we need to download the bot. Like i said, my web server runs on Ubuntu, and the Certbot team maintains a personal packet repo i can use:

(Please note that PPAs don’t undergo the same process of validation as regular Ubuntu packages, so be careful with them!)
$ sudo apt-get update
$ sudo apt-get install software-properties-common
$ sudo add-apt-repository universe
$ sudo add-apt-repository ppa:certbot/certbot
$ sudo apt-get update
$ sudo apt-get install python-certbot-apache

For clarity, here’s what the commands do:

  • $ sudo apt-get install software-properties-common – provides an abstraction of the used apt repositories. In practice it just provides some handy scripts to add and remove PPAs.
  • sudo add-apt-repository universe – Enables universe repository.
  • sudo add-apt-repository foobar – Adds a new lauchpad PPA to your system
  • sudo apt-get install python-certbot-apache – Installs a Certbot module to configure Apache automatically. This command will depend on your setup, but you can also just use sudo apt-get install certbot and run through the installer manually.

Obtaining the certificate

If you are going with the manual installer (sudo certbot certonly), you will need to supply the installer with your domain name and webroot when prompted.
I have my apache running multiple sites in paraller with virtualhost, so i opted to go with the apache-installer (sudo certbot --apache) in order to simplify the process.
Certbot is pretty clear and vocal about the installation process and possible errors, has great logging capabilities and good documentation if you run into trouble.

Remember to open port 443 from your firewall!

HTTPS uses port 443, so if your site becomes unreachable upon the installer finishing succesfully, this is probably the reason.

Closing thoughts

Acquiring the certificate from Let’s encrypt was a pleasant experience.
I would especially like to mention the Certbot installer plugins, that are available for all major web servers (Apache, Nginx, etc.) and made this process nice and streamlined.

It’s worth noting that Let’s Encrypt certificates are valid for 90 days, and they don’t offer OV or EV certificates.
Renewing the ceritifcate, however, is really simple. Certbot packages your system with a cron job to do it automatically. (sudo certbot --dry-run to simulate this)

I would gladly recommend Let’s encrypt to anyone looking to make the internet a little safer by enabling HTTPS on their site.


1 thought on “Setting up HTTPS with a free SSL-certificate from Let’s Encrypt.”

Leave a Reply

Your email address will not be published. Required fields are marked *