Let's Encrypt and let's go

Last week saw the start of the Public Beta period for Let’s Encrypt and the start of a more secure internet for all. For free. The project has been in development for at least a year, was due in the summer and has just now finally been cleared for public usage. This is something of a game changing moment but not something the public is aware of. It means that any site that wants to have that little green padlock up in the location bar can now easily install one. And given that Google (and presumably other search engines) are starting to penalise sites that are not running over HTTPS, this will become a greater issue over time. I decided to try it out on a few domains…Before Let’s Encrypt, the two big stumbling blocks to setting up HTTPS have been, first, the cost and second the sheer difficulty of getting the things installed and working. Although the cost of a certificate varies widely depending on where you buy it, it still costs money. And installing the certificates, once you have them, requires some archaic commands being put in the configuration files of your web server. And this to be repeated every year.

Let’s Encrypt changes all this by providing a set of scripts that will automate the installation of SSL certificates and providing those certificates for free. Although the scripts are currently focussed on Apache and NGINX servers, there will be more becoming available as the system moves through public beta. In theory, this makes it almost automatic and, although the certificates are only issued for 90 days, renewing them on a 60 or 90 day basis is straightforward.

First attempt on an Ubuntu server

Well, that’s the theory, how does it work in practise? I decided to start with my own server and domains. This is (or was) a standard Ubuntu 12.04 install with Apache 2.2.22. I did the installation by following the instructions on the Lets Encrypt website (clone the git repo basically) and then ran

$ ./letsencrypt-auto –apache -d gnomedia.com -d www.gnomedia.com

and… no luck. I get the message “No vhost exists with servername or alias of: gnomedia.com. No vhost was selected.“ To cut a long story short, there was nothing I could do to persuade Lets Encrypt to find the configuration files and believe them.

I had the idea that this was because it was an old version of Apache so I updated Apache (and PHP) to the latest versions. Something I’d been meaning to do anyway, this just gave me the push to do it. But still no luck, same error message.

What does work is to simply fetch the certificates and then install them by hand. I use this to fetch the certificates:

$ ./letsencrypt-auto –text –agree-tos –email support@domain.com certonly –renew-by-default –webroot –webroot-path /home/domain/public_html/  -d domain.com -d www.domain.com

and then follow the usual Apache instructions to install them manually.

Installing on a cPanel server

After the above experience I was a bit hesitant to go ahead and install on a production site, but after reading these instructions from cPanel themselves, I decided it can’t be too bad.

And following those instructions, it all went very smoothly. In fact it took about 20 minutes to have a domain setup and running with HTTPS

Some Gotchas on the way

If you using –webroot and are getting a warning “Client lacks sufficient authorization” then try removing any .htaccess file in the way and running again (you can put the .htaccess back after a successful run).

If you find that you are ending up with certificates from “happy hacker fake” then it means you are getting test certificates from the staging server at Lets Encrypt. In my case it is because I had been playing around with a ‘cli.ini’ file and put that path there as a test. And forgot to remove it.

Some resources: