Let’s Encrypt is a Certification Authority (CA), which makes it easy and free to receive TLS / SSL certificates via an automated system called certbot, thereby allowing the use of an encrypted connection HTTPS. At the moment, the service is in beta test and receive a certificate in a fully automatic mode, it is possible only when using a web server Apache. The idea is simple: download and open to web server with a single command code request and install the certificate and configure it for use, everything is automated, like a boss! For example, let’s try to enable SSL on Apache.
Note that the information provided in this article is prone to change from the Let’s Encrypt side, since they are a fast growing organisation.
The principles on which Let’s Encrypt was created are:
- Free: Anyone who owns a domain can obtain a valid certificate for that domain at zero cost.
- Automatic: The registration process for all the certificates occurs without pain during the installation process or native server configuration, while renewal occurs automatically in the background.
- Security: Encrypt serve as a platform for applying modern safety techniques and best practices.
- Transparent: All records of issuance and revocation of certificates will be available to anyone who wishes to inspect.
- Open: The protocol transmission and automatic renewal will be an open standard and as much software as possible will be open source.
- Cooperative: As the underlying Internet protocols themselves, Encrypting is a concerted effort to benefit the entire community, beyond the control of any organization.
Operating principle of Let’s encrypt
Usability promised by let’s encrypt is actually based primarily on customers and automation it provides.
Let’s encrypt handles (or can take care) of two separate tasks:
- Obtain a certificate for the area
- Install the resulting certificate.
To obtain a certificate, let’s encrypt (certbot):
- Generates a key pair and a certificate signing request (Certificate Signing Request CSR);
- Sends the request to a server ACME;
- Responds to authentication challenges posed by the server, allowing the applicant to prove that he/she controls the given domain;
- Receives the signed certificate back.
After obtaining the certificate, the client installs the certificate itself, the corresponding private key and intermediate certificates where the web server can find them, finally it configures and said recovery server if it knows how to do (if the server in question Apache HTTP or Nginx is, for now).
Let’s encrypt also keeps track of certificates obtained. Launched at regular intervals, it will automatically repeat the procedure if it detects that a certificate is about to expire.
Ultimately, the goal is clearly that the administrator can set up TLS in a single order, before forgetting the very existence of let’s encrypt.
Let’s encrypt use elsewhere than on the production server
The Lets encrypt client is designed to be run directly on the server on which the requested certificate will be used. In the name of usability and automation: this is what enables the customer to meet the authentication challenges, and configure the server to use the resulting certificate.
The problem it has is that it implies to run on a production server, a chunk of code that is clearly stamped BETA SOFTWARE;
- Requires the privileges of the root user;
- Directly manipulates cryptographic keys;
- Plays with the packages installed on the system;
- Fiddled server software configuration files.
XSbyte uses the i-MSCP Let’s Encrypt plugin, so you can get free SSL-certificates for all your domains.