Already since 2014 the secure encryption of websites is a ranking factor for Google. The necessary certification of a domain causes costs and is on top time-consuming. With Let’s Encrypt there now is a certificate authority that gives out certificates for encrypted websites mostly automatically and especially free of costs.
Let’s Encrypt is an initiative founded to achieve full encryption of the entire WWW. The service is offered by the non-profit Internet Security Research Group (ISRP), who are backed up by illustrious sponsors like Mozilla, Akamai, Cisco, Google Chrome, Facebook, IdenTrust or the non-governmental organisation Electronic Frontier Foundation (EFF) that work for the basic rights in the age of information.
What does HTTPS perform?
Metaphorically speaking, to the DNA of the internet belongs the ability of all (“connected”) devices to communicate with each other. The devices (computer, smartphone, etc.) use designated protocols for this. The World Wide Web builds up on the HyperText Transfer Protocol, abbreviated to HTTP. Websites are basically Hypertext documents that are delivered from a web server to an interested user (over a browser).
If the website is not encrypted third parties can view and manipulate data exchanged between end user and web server in the plain text by accessing the LAN or WLAN – which is possible in various ways.
In the HTTPS protocol exchanged documents are encrypted, so that only the computer (the browser more precisely) of the user and the web server on which the website is on can read the information. For this encryption TLS protocols are used, also known by the previous name SSL (secure sockets layer). Using TLS/SSL encryption on its own is not enough for a secure data exchange, however, since it can also be accessed by unauthorised persons in theory.
Thus, a third, independent institution is required confirming to actually trust the displayed website. (This becomes clear when imagining a possible abuse: for example a replicated site could pretend to be an actual site of a bank or shop XY in order to obtain confidential data). This independent institution is a so called certificate authority (CA). Let’s Encrypt is exactly that: a certificate authority that gives HTTPS certificates (x.509 certificates) to domains.
User notice the encrypted connection simply by the written-out HTTPS tag in the address line as well a key symbol highlighted in green, that can be clicked on and then gives out information about the certificate authority.
How does Let’s Encrypt test if a domain is secure?
Website owners that wish to obtain a HTTPS certificate from Let’s Encrypt have to register with the certificate authority over their server and request a signed certificate for the domain.
Let’s Encrypt then gives the web server a task that it has to solve. If the feedback matches Let’s Encrypt sees this as a confirmation that the web server actually controls and commands the domain. The domain is validated as soon as the private key of the web server has been made with the initialising factor (Nonce) of the certificate authority and been signed. This certificate can from now on be checked with every call-up of the HTTPS connection by the Let’s Encrypt signed key and identify the web server.
Why are HTTPS certificates from Let’s Encrypt time-limited?
Like every other SSL/TLS certificate, Let’s Encrypt certificates are time-limited. It’s the same case with commercial providers, but with them, depending on the type of certificate, times range between one to five years usually. Let’s Encrypt would like to achieve two things with this shortened time period:
- To fight any abuse faster
- To increase pressure to automatise the certification process
At the moment, a certificate needs to be initiated manually. As soon as all processes run automatically, the time limit is to be decreased to only 30 days even. The renewal of the certificate then is conducted automatically, of course.
Guideline for incorporating a TLS/SSL certificate from Let’s Encrypt
At the moment, Let’s Encrypt is still in its beta phase, hence can contain many bugs still. Nevertheless the certificates are supported by all common browsers and operating systems already.
For signing the certificates Let’s Encrypt provides an open protocol, ACME (Automated Management Environment) that communicates with the certificate authority. The tool demands root rights. Additionally the web server has to be shut down temporarily.
1. Install ACME client
1 cd /opt
2 git clone https://github.com/letsencrypt/letsencrypt
3 cd letsencrypt
Before the client is activated the web server has to be stopped and rebooted, so that port 80 is free to use for the client. Now the certificate authority request is made:
1 /letsencrypt-auto certonly –rsa-key-size 4096 -d domain.de -d www.domain.de
The options cause:
- “certonly”: the certificates are only picked up and stored. An automatic incorporation into the web server configuration is dismissed.
- rsa-key-size 4096: nstead of the standard 2048 bit setting for the RSA private key a length of 4096 bit is set.
- -d: or these domains the certificate is applied for. Subdomains can also be stated here.
If the client is now called up the terms and conditions have to be accepted as well as an email address has to be given that is needed to extend the certificate and for reference for Let’s Encrypt if there’re any security problems. When the application is through the certificate files are recorded by the ACME server in “etc/letsencrypt/live/[domain]”:
- cert.pem: the server or public certificate
- chain.pem: a public certificate contain intermediate certificates
- fullchain.pem: contains cert.pem AND chain.pem
- privkey.pem: the private key
The application is completed thereby. Now the certificate only has to be recorded in the web server.
Which certificate files are needed depends on the web server.
Apache Webserver (from 2.4.8) as well as nging-Webserver need fullchain.pem as well as privkey.pem:
Apachache Webserver (below 2.4.8) cannot do much with the fullchain.pem file and needs to have a cert.pem- and chain.pem- instead as well as the privkey.pem file again:
The web server can now be rebooted and should duly designate the TLS/SSL certificate.
When extending the certificate the web server needs to be stopped, as well. The Let’s Encrypt certificate can be easily renewed with the command:
/opt/letsencrypt/letsencrypt-auto certonly –renew-by-default -d domain.de www.domain.de