My first steps with Let’s Encrypt

On a testing machine I installed over the weekend, I had a chance to give Let’s Encrypt a try.

Introduction

For those who don’t know, Let’s Encrypt provides free SSL certificates. While several CAs offer them on a domain-validated basis already, Let’s Encrypt is mostly automated from the end-user point of view and issues certificates instantly. Drawbacks is that its certificates expire within three months, and it doesn’t support wildcard certificates (yet).

The Let’s Encrypt client

To get a certificate, you can use their client, which provides various modes, including automatic installation within your webserver. I opted for the manual mode:

1. To install the client on your system, clone the respective git repository with

   git clone https://github.com/letsencrypt/letsencrypt

2. To create a key with 4096 bit in size, create a certificate request with several host names and have the certificate issued, invoke the client via

   letsencrypt/letsencrypt-auto certonly --standalone --rsa-key-size 4096 --email your.email@your.domain --domains hostname.your.domain,your.domain,www.your.domain

   If you are familiar with their terms of service and agree to them, you can add –agree-tos to the command line to skip the prompt.

3. The Let’s Encrypt client now tries to verify the domain(s), so ensure that the DNS A or AAAA records point to your server’s IP before, and that your firewall allows the connection.
4. If all went well, the new certificate resides in /etc/letsencrypt/live/your.domain and can be included in your mail, web and other application server. Don’t forget to renew it in due time.

Alternatives

Running a client with system permissions is not everyone’s favorite option – there are several other means of getting your certificates, including a purely web-based (which I didn’t test myself yet).