3. SSL certificate orders/renewals so far
Generate RSA key
Generate CSR
Log in to CA's web horrible interface
Fill out certificate order form
Pay a lot of money
Verify domain
4. Let's Encrypt
https://letsencrypt.org/
"free, automated, and open certificate authority (CA), run for the public’s benefit"
[https://letsencrypt.org/about/]
Provided by ISRG - Internet Security Research Group (California based Non-Profit)
Sponsored by Mozilla, Akamai, Cisco, EFF, OVH,
Facebook, Chrome, etc.
Mission: reduce technological & financial barriers to
secure internet communication
5.
6. What does it do?
Still with Key, CSR, Domain verification, get certificate
It's automated
It's free
7. How does it work?
● ACME protocol: https://ietf-wg-acme.github.io/acme/
● Specifies mostly the process of domain verification
● What we need to know: https://letsencrypt.org/how-it-works/
● Server admin is identified by key pair
● CA issues challenges to authorize key pair, e.g.
○ DNS record
○ File on server
8. Pitfalls
User running letsencrypt must have write access to web server root
Make sure dot-files are accessible
Challenge path: https://my-domain.com/.well-known/acme-
challenge/jd1o3ddZXTYbjwUHvRnQOECZToSY-BKxyd6LdFgjvOg server {
listen 80;
# don't do this
location ~ ^/. {
deny all;
}
}
10. Client Support
Yep:
Android > 2.3.6
Firefox > 2.0, Firefox OS > 2.2
Windows: IE, Chrome
Safari > 4.0, iOS > 3.1
Linux: Debian > 6, Ubuntu > 12.04, CentOS ?
Quickly tested:
Node.js, PHP
Nope:
Java as of jdk8u51 (applied for)
Older Androids
Windows XP
Blackberry
11. Rate Limits
According to https://community.letsencrypt.org/t/rate-limits-for-lets-encrypt/6769
Domains per certificate: 100
Certificates per domain: 5 certs/domain/week
Registrations per IP: 500/3hrs
For testing/development: use staging env (--test-cert, --staging)
No limits on total number of certificates
13. Why should I use it?
Less work - makes you happy
It's free - makes your boss/client happy
It's encrypted - makes your users safer
It's automated - makes DevOps people happy
Caddy (live demo?:
not localhost or IP
port not 80
scheme is not http
TLS is not turned off
Certificates and keys are not provided
Caddy able to bind to 80 and 443
Get caddy: https://github.com/mholt/caddy/releases
Caddyfile:
jhenning.me
gzip
browse
ext .html
log ./access.log
Start caddy
Done!