Encryption has become a hot topic of discussion these days. Governmental agencies and hackers hate it, and technology evangelists recommend it. Security is absolutely important, no matter which aspect of your online presence is being discussed. On the web, you have multiple forms of encryption and that too, present at different stages. You should be familiar with the HTTPS lock symbol which pops up right at the beginning of the address bar when you visit popular websites like Google, Facebook, Github, etc. It’s now mandatory for implementing certain services or modules which involves transmission of personally identifiable information. There will be no online payment page without HTTPS, no gateway’s API will even allow you to perform a transaction if that page isn’t secured with TLS/SSL.
Many industry titans have started encouraging the use of TLS as well. Let’s say you’ve decided to build your own website, if you have any page that needs a user to submit personal information or even sign into a page, then it’s better to have that page secured with an SSL certificate. Or better yet, your entire site. Google started giving websites with HTTPS a little boost in their search rankings back in 2014. They’d stated that they’ll promote HTTPS further to encourage website owners to shift from HTTP to HTTPS. So if all you need to do in order to get a little bit of Google-search-love is implement HTTPS then you can turn to one of the many Certificate Authorities (CA) which issue HTTPS certificates.
There are several types of SSL certificates and they’re classified either by Validation Level or by Secured Domains. Let’s look at Validation certificates first. The simplest one here is Domain Validated (DV) SSL which validates a domain so that the administrator is aware of it and has to actively approve the certificate on the server side either via email or DNS. Then there are Organization Validated (OV) SSL certificates which is only issued after the domain owner proves that an organization (such as Facebook or Google) operates the domain and that their establishment is verified by the CA. This level of validation requires you to provide and verify information such as name, city, state and country of the organization. You can take this one step further with an Extended Validation (EV) certificate which requires more legal paperwork to link the domain with a business. You can easily identify EV certificates by their green bar in the browser featuring the name of the company beside the padlock symbol.
The second type of SSL certificates are those issued based on secured domains. This one is fairly easy to comprehend. There are Single-name SSL certificates which protects a single domain such as www.heythere.com. Then there are Wildcard SSL certificates which protects an unlimited number of subdomains attached to a single domain. So you could have a single certificate for *.heythere.com and it will protect any subdomain attached to heythere.com such as abc.heythere.com and def.heythere.com and so on. And lastly, there are Multi-Domain SSL certificates which can secure a combination of different domains under the same certificate. So you can have heythere.com and whaddap.com secured by the same certificate.
Since there is a significant amount of work needed to issue certain certificates, they end up becoming quite expensive. Even with a lather of marketing mumbo jumbo, CA break up these SSL categories even further into price based tiers with their own nomenclature, thus, adding a lot more complexity to an already complex set up. An EV certificate from GoDaddy can cost you ₹6,499/year which is a pretty significant investment for someone starting out their own website. And that’s with 50% discount, you’ll be paying ₹13,000 upon renewal. So SSL certificates are expensive but they go a long way towards ensuring a better internet. This is where Let’s Encrypt comes into the picture. They are a Certificate Authority that provide free certificates and make the entire process of implementing TLS for your domain really simple. It was founded by the Electronic Frontier Foundation, Mozilla Foundation and the University of Michigan with the aim of eliminating payment and reducing the complexity of setting up and maintaining HTTPS. The only catch is that you need to renew the certificate every 90 days as that’s how long Let’s Encrypt certificates are valid for. However, this is a pretty easy barrier to get across as you can set up a simple cron job to perform renewal every 89 days.
Setting up Let’s Encrypt
If you have access to your webserver then you can simply install a TLS certificate using the Certbot ACME(Automated Client Management Environment) client. This way, you can be done with just a few commands. Or if your hosting provider has a built in script to implement Let’s Encrypt then you’re set. However, since a lot of hosting providers also provide SSL certificates, they don’t like the idea of giving up a revenue stream just so that they can serve their customers better. So you’re unlikely to find many hosting providers supporting out-of-the-box Let’s Encrypt implementation. We ended up using Digital Ocean for setting up HTTPS on a domain as all the other hosting providers we came across had “issues” with setting up Let’s Encrypt.
Set up requirements
You can visit the Certbot website for detailed instructions based on which web server software you are using and what OS it is running on. Our droplet on DigitalOcean was running Ubuntu 16.04 with Apache as the web server software. You should have access to the web server via Shell and have all the initial set up kinks ironed out.
Then you’ll want to point a Domain to your hosting using the Nameservers that you’ll be assigned when you purchased the hosting. If you do this ahead of time then DNS propogation will have taken place by the time you can proceed with installing the certificate. This can take up to 48 hours but we only had to wait two hours.
The first step is to install the Let’s Encrypt client i.e. Certbot. Start off by updating the package indexes by typing the following command.
$sudo apt-get update
And once that’s done, you need to install Certbot by typing in.
$sudo apt-get install python-letsencrypt-apache
If your hosting provider can’t find the Certbot client then you’ll need to add their repository before using the apt-get install command.
Installing SSL certificate
After the Certbot client has finished the installation process, you can proceed to setting up the SSL certificate. Use the following command to get that done.
sudo letsencrypt –apache -d yourdomainname.com
It should be pretty self explanatory as to what arguments are being passed here but we’ll go ahead and spell it out any ways. You’re passing the arguements ‘–apache -d yourdomainname.com’ to letsencrypt. The ‘–apache’ tells Certbot which web server you are using and the domain you want to issue your certificate for is passed after the ‘-d’ flag. In this case, it would be yourdomainname.com.
Should you want a Multi-Domain or Wildcard SSL certificate then you can add an additional domain by using another ‘-d’ flag followed by the second domain name. For example:
sudo letsencrypt –apache -d yourdomainname.com -d yourseconddomain.com
It’s best to pass the root domain first before passing any sub-domains or wildcards as it’s the domain used by Let’s Encrypt to create the certificate. You’ll then have to enter your email ID in the next prompt for key recovery should you forget it.
The rest is a pretty simple process where you just have to confirm if all the information on the screen is true or not.
Towards the end, you’ll be asked if you want to route even the HTTP traffic through HTTPS which is ideally the safest option.
Congratulations, you now have HTTPS set up for your domain. Your certificates will be located in ‘/etc/letsencrypt/live’. You can see if it’s routing all traffic by typing http://yourdomainname.com and checking if the padlock symbol appears. Or you can check out ssllabs.com which has an SSL test page.
Now that you’ve got your SSL certificate, you need to set up auto-renewal since the certificate expires in 90 days. To do this, Let’s Encrypt has a renew command that automatically checks and renews your certificate if it detects an expiry set to happen under 30 days. So go ahead and type the following in shell.
sudo letsencrypt renew
You’ll be met with the following message since you’ve just installed the HTTPS certificate and have 90 days left.
- Processing /etc/letsencrypt/renewal/yourdomainname.com.conf
- The following certs are not due for renewal yet:
- /etc/letsencrypt/live/yourdomainname.com/fullchain.pem (skipped)
- No renewals were attempted.
Now we just have to set up a scheduled task to run every week or day or month which runs the renew command. The safest option would be to run it every day but we feel that’s a little unnecessary at this point. So we’re going to be running it once a week.
You’ll need to edit the crontab to set up a schedule. Type the following command to open it.
sudo crontab -e
Based on which text editors are installed on your system, you’ll be presented with options to pick one. Once crontab is open, you’ll need to add an additional line at the very end for your SSL renewal. Crontab follows a simple pattern which has your date and time first and the command to be executed right after that. For example:
59 23 31 12 6 command
This first two parameters allow you to set the time. So you have minutes(0-59) and then hours(0-23). Then there’s the day(1-31) of the month, month(1-12) and day of the week(0-6, 0 being Sunday). And lastly the command to be executed. We want to run the renewal command every week on a Monday at 2:30 AM. So we’ll be using:
30 2 * * 1 /usr/bin/letsencrypt renew >> /var/log/le-renew.log
You should now save and exit crontab. We’ve also set a log file to be created for each instance of the cron job to be saved at /var/log/le-renew.log.
The alternate way
Sometimes, if your domain is behind a firewall or if you have a CDN setup, then the usual method will not work. This is because the Let’s Encrypt authentication server needs to perform a challenge with the IP address associated with your domain. And with a CDN involved, the authentication server will see the challenge request coming from a different IP address. In this case, we need to use the webroot method. This method simply creates a temporary file in the root folder of your domain which the Let’s Encrypt authentication server can read from to verify domain ownership. To do that, use the following command:
certbot certonly –webroot -w /var/www/yourdomainname/ -d www.yourdomainname.com
The Let’s Encrypt server will make an HTTP request to find this temporary file at your www.yourdomainname.com and the certbot will create that temporary file at /var/www/yourdomainname/ in your server. Ensure that you create the temporary file in the root directory and nowhere else. Hopefully, you’ll now have HTTPS enabled via the webroot method.
HTTPS is the future of the web, there’s no denying that. It protects the integrity of your website and ensures the privacy and security of visitors coming to your site. When we’ve entered an era of needless mass surveillance, the web has started to become less free and subject to censorship. The latter has been used by governments to suppress their people and is still being used to do the same in many regions across the world. HTTPS may not be the one true solution to this problem but it sure does go a long way towards alleviating the privacy issue plaguing the internet.
Let’s Encrypt, through its service has made the process of obtaining SSL certificates ridiculously easy, to the point the even absolute beginners can implement HTTPS on their domains. Moreover, it’s free. So what’s holding you back from getting your own SSL certificate?
This article was first published in the May 2017 issue of Digit magazine. To read Digit’s articles first, subscribe here or download the Digit app for Android and iOS. You could also buy Digit’s previous issues here.