December 7, 2015 - Mauro Carvalho Chehab

An Introduction to Installing Your First Let’s Encrypt HTTPS Certificate

The usage of https has been so far somewhat restricted on open source projects, because of the cost of acquiring and maintaining certificates. As a result of this and the need to improve Internet security, several projects are working on providing free valid certificates. Among those projects, Let’s Encript launched a public beta last week on December, 3 2015.

The Let’s Encrypt Approach

Let’s Encrypt is a Linux Foundation Collaborative project that started to fulfill an Electronic Frontier Foundation – EFF long-term mission to Encrypt the Web. According with EFF, the “aim is to switch hypertext from insecure HTTP to secure HTTPS. That protection is essential in order to defend Internet users against surveillance of the content of their communications; cookie theft, account hijacking and other web security flaws; cookie and ad injection; and some forms of Internet censorship.”.

With that goal in mind, the Let’s Encrypt project is providing free certificates, valid for 90 days. The certificate renewals are also free, and the enrollment procedure is meant to be simple and scriptable. They have proposed an RFC to the Internet Engineering Task Force – IETF for an automatic protocol to manage https certificates, called Automatic Certificate Management Environment (ACME) protocol.

There are several clients that support the ACME protocol, we chose to use letsencrypt. As we’ve just upgraded the LinuxTV server last week, I decided to pioneer the install of the Let’s Encrypt certificates.

How to Use Letsencrypt to Get an https Certificate

The process is actually really simple.

The first step is to clone the letsencrypt script from https://github.com/letsencrypt/letsencrypt with:

The first time it runs, it will install python dependencies. The script is smart enough to identify the distribution and do the right thing in most cases. I tested it on both Fedora 23 and Debian with similar results, but some distributions like SUSE might require more work:

And, after installing the packages:

It will then proceed to the next step of asking for the e-mail of the admin:

email
It then asks you to agree to the license terms, everything seemed fine to me, so I accepted it:
encrypt-sla

If Let’s Encrypt successfully detects the domains on your server, it will present you with a set of checkboxes to select the domains you want to serve over https.

https_select

If the script can’t detect the domains on the server, it will ask you to type them in, separated by a space:

domains

NOTE: It should be noted that the script needs either root access or sudo access in order to install the needed dependencies and set up the apache server. It also needs to run on the server where the certificates will be installed. Trying to run it on a different machine would cause an error:
Failed authorization procedure.
www.linuxtv.org (http-01): urn:acme:error:unauthorized ::
The client lacks sufficient authorization ::
Invalid response from http://www.linuxtv.org/.well-known/acme-challenge/03ocs4YOeW32134wH3Oo911sv-aJ_SK0B1R_YVCGk [130.149.80.248]: 404, git.linuxtv.org (http-01):
urn:acme:error:unauthorized ::
The client lacks sufficient authorization ::
Invalid response from http://git.linuxtv.org/.well-known/acme-challenge/oPcUtwer423oc2dVqElgVc0HxTjJfuVv1cwk1A-F0 [130.149.80.248]: 404, linuxtv.org (http-01):
urn:acme:error:unauthorized :: The client lacks sufficient authorization ::
Invalid response from http://linuxtv.org/.well-known/acme-challenge/ZuPCq4geW36d6GxcIK_GhIfaH35l1mCNOS9X67HU4 [130.149.80.248]:
404, patchwork.linuxtv.org (tls-sni-01): urn:acme:error:unauthorized ::
The client lacks sufficient authorization :: Correct zName not found for TLS SNI challenge. Found

It then asked me if I wanted to allow both http and https or just https. I chose to allow both, but if your site communicates sensitive information like passwords or personal data, you might consider forcing all connections to use https:

https_type

After that, it created the certificate and updated the /etc/apache2 configurations for all the sites that were enabled:
https_congrats

Starting Using the New Certificates

That’s the most exciting part of the letsencrypt tool: the script adjusted all the configurations on my apache2 server and auto-reloaded it, so there’s no need to do anything to start using it! Ubuntu, Debian, Centos 7, and Fedora are currently the only Linux distros that support automatic configuration, other distributions will likely require manual configurations.

After running the script my apache server was running with the new certs with no downtime! Now visitors to Linux TV can now use https to access the site securely. We are currently working on implementing Let’s Encrypt on our blog and other internal resources here at the OSG. Here’s to a safer and more secure web!

About Mauro Carvalho Chehab

Mauro is the upstream maintainer of the Linux kernel media and EDAC subsystems, and also a major contributor for the Reliability Availability and Serviceability (RAS) subsystems. Mauro also maintains Tizen on Yocto packages upstream. He works for the Samsung Open Source Group since 2013. Has worked during 5 years at the Red Hat RHEL Kernel team, having broad experience in telecommunications due to his work at some of the Brazilian largest wired and wireless carriers.

Image Credits: Rachael Towne

General / Linux / Open Source Infrastructure certificate / https / Let's Encrypt / Security / ssl /

Comments

  • Vivek Kumar says:

    Hi

    Will it be possible to generate certificates and keys for a particular domain from another system?

    for example I’ve server running on Machine 1 but I want to generate the cert & key from machine 2.

    • The ACME protocol talks with the server during the authentication, in order to check if a new cert is being requested for it. So, if you want to get the certificate on some other machine, the server needs to be prepared first. I was not able to do it with the official client (letsencrypt), but I didn’t try hard. The is a “manual” mode there that is supposed to allow that. There are also some other client implementations, as mentioned at https://community.letsencrypt.org/t/list-of-client-implementations/2103, and I saw some comments of people using those other clients in order to be able to do what you want to do.

  • Tocha says:

    Can I use Let’s Encrypt HTTPS Certificate for my private web server or the domain name must be a public and registered domain?

Leave a Reply

Your email address will not be published. Required fields are marked *

Comments Protected by WP-SpamShield Anti-Spam