Let's Encrypt: a real open certificate authority
I ran into Let's Encrypt project few months ago, after reading on the website of an independent radio that they finally solved their own issues with SSL by creating a Valid Certificate using Let's Encrypt.
At the beginning I imagined that they would have created something like self-signed certificates or something that, at the end, wouldn't be valid completely or at least not useful without user's validation. Surprisingly this was not the case, they either have a valid certificate and the browser used to like it too.
I was curious and I wanted to go in deep with this. The opportunity fell from the sky, when after revoking a certificate and rekeying the same for another domain, I had to leave a domain with an invalid and revoked certificate. This shouldn't represent a problem, since the domain was hosting a website quite outdated. However I forgot that someone was still embedding iframes from that domain, moreover they neither can modify easily tons of iframes in order to remove SSL encryption.
Of course I wouldn't spend a cent for issuing a new SSL certificate, so I remembered about Let's Encrypt project and I thought it was time to play with it. I succeeded and so I decided to share my experience.
Let's Encrypt is an open source project, but it's not a sandbox or an attempt to do something such as “we are a group of people that would like to...”, they actually provide a product, that is easy and quickly working. They succeeded in breaking the state-of-the-art of a SSL in a good way.
Moreover they respond to the high demand of SSL encrypted websites, since Chrome, Firefox and all their bro-browsers are becoming every day more strict on that.
Finally Let's Encrypt is now the reference project for SSL of the LinuxFoundation. The project’s aim is for HTTPS to become the default on the Web and they contributed to encrypted page loads jumping to 50% in one year.
In few steps you would achieve your SSL certificate and by activating it in your website / webserver you would see that it just works.
So Let's start, or Let's encrypt!
How SSL Works
SSL is a security method that employs channel encryption. In the case of a website this would change HTTP into HTTPS (http secured), but the same is valid for many other internet protocols that have their “secure” version (e.g. STMPS is secure for SMTP, RTMPS is secure for RTMP).
SSL is based on certificates (usually in the X.509 format), generated employing a private key (the so called keying of a certificate). This private key usually is generated and tied with an host / server and should be kept secret.
The steps above are not enough. In order to trust the certificate it should be issued by a CA (certification authority), that would prove the trustability of the owner of a certificate in the so called “SSL certificate chain”. This part is somehow mandatory as otherwise a certificate would represent something like: “Hey! This is me, read about me on my certificate, and then... Then just trust me!”.
Since this role is very tough, as today only few CAs were playing that: VerizonSSL, RapidSSL, GeoTrustSSL; and of course they want a variable amount of money to do that and to issue a valid certificate. In my experience, until today the only way was to dig google to find out the cheapest seller of Certificates (I admit that you may find them even for ~20€/year).
Let's Encrypt unexpectedly break those “chains”. They allow you to create a certificate and they established their own CA, that eventually make them trustable.
How to create a certificate with Let's Encrypt
There are lots of ways to create a certificate with the Let's Encrypt project. Moreover generated certificate can be installed in a vast number of web servers, mainly Apache or Nginx (it's difficult to understand why you should pick other ones for a general purpose web server).
The procedure is based on a tool provided by the Let's Encrypt project and called Certbot. This tool will drive you into a series of steps that generate and install a valid SSL certificate. Certbot has a very detailed documentation and very active community.
For the Apache web server this steps can be really automated, so that in one single shot you can use Certbot on the same machine where Apache is installed; it will create, move and install the certificate, finally it will change the configuration and reboot the web server.
Since life is never easy, the latter was not my case of course. My environment was a website running on a remote server inside a Docker container for an Apache web server. My first reaction was: “Ok, this will never work”. Indeed it did!
Using Certbot via Docker container
Now, the key is that Certbot is also provided as a Docker image, so it can be containerized. This is useful in any case where you don't have the possibility to deal directly with the web server configuration or to install any software.
To explain how, let me briefly give names to hosts. Let's call:
- Local machine, the one where Certbot will be run.
- Target machine, the one where the SSL certificate will be installed.
On my Local Machine I will run (you should adjust your “local_folder” according to your local filesystem):
docker run -it --rm -p 4443:443 -p 480:80 --name certbot -v "<local_folder>/letsencrypt/etc:/etc/letsencrypt" -v "<local_folder>/letsencrypt/var:/var/lib/letsencrypt" quay.io/letsencrypt/letsencrypt:latest certonly --manual
The previous command will start a container which in turn runs a sort of simple wizard. This wizard terminates with a challenge to validate the identity and ownership of the domain. The latter is an unavoidable step in order to issue a valid certificate. Challenge may be done via File or DNS records.
- File challenge is the default one. It consists in placing a “challenge” file in a specific directory of the Target machine. The file must have a public access. The challenge will be completed by reading the content of “challenge” file (a secret) via HTTP, performed by the Certbot software (usually the URL is http://xxx.domain.tld/.well-known/acme-challenge/xxxxxx).The file can be placed via (S)FTP or created via SSH. A useful hint is given by Certbot itself, which suggests to launch a temporary web server, via a snippet of code in Python.
- DNS challenge is the one to employ when you don't have any specific access to the Target machine. It basically consist in adding some specific TXT Record to the table of DNS Records. The method is pretty easy and straightforward, however it may take a long time until the record are available, so that they can be verified.
Renewing a certificate
The shortcoming of a Let's Encrypt certificate is that it will only last 90 days. It means that it needs to be renewed each 90 days. This is annoying, may we consider it as the right price to pay to get a completely free and valid certificate.
It can be achieved via options passed to Certbot command renew, whereas other commands allow revoking or updating the certificates. The renew command allows also to bind pre-hook and post-hook routines, and can be automated via cron job.
As you can imagine, it may be nothing strange that none of the previous will be suitable for your scenario. Well, the good news is that repeating the creation of certificate form scratch, will create a brand new valid SSL certificate that could be used to fully replace the expiring or expired one.
Eventually I can completely handle my SSL certificates for free. Moreover “Let's Encrypt” is a very promising project since it is also hosted by the Linux Foundation, which is also in charge of other successful projects including the Linux kernel, CNCF and Node.js.
This is a huge step toward a web whether SSL is definitely a state-of-the-art. That said, in my humble opinion, stating this will make the web more “secure” is still a strong word.
UPDATE: Starting from January 2018 it will be possible to generate wildcard certificates issued by Let's Encrypt!