Let’s Encrypt: Free, Automated, and Open SSL

Let’s Encrypt is a free, automated, and open certificate authority (CA), run for the public’s benefit. Let’s Encrypt is a service provided by the Internet Security Research Group (ISRG).

The key principles behind Let’s Encrypt are:

  • Free: Anyone who owns a domain name can use Let’s Encrypt to obtain a trusted certificate at zero cost.
  • Automatic: Software running on a web server can interact with Let’s Encrypt to painlessly obtain a certificate, securely configure it for use, and automatically take care of renewal.
  • Secure: Let’s Encrypt will serve as a platform for advancing TLS security best practices, both on the CA side and by helping site operators properly secure their servers.
  • Transparent: All certificates issued or revoked will be publicly recorded and available for anyone to inspect.
  • Open: The automatic issuance and renewal protocol will be published as an open standard that others can adopt.
  • Cooperative: Much like the underlying Internet protocols themselves, Let’s Encrypt is a joint effort to benefit the community, beyond the control of any one organization.

How it works?

Let’s Encrypt certificates expire 3 months from the issue date. These certificates are not made to be manually updated on your server. You are encouraged to install an application that will automatically request and install an updated certificate before expiration.

When requesting a certificate there is a challenge system to verify that you control the domain  you are receiving a certificate for. For an in depth explanation of this process you can visit their website at https://letsencrypt.org/howitworks/technology/.

When speaking about SSL Certificates it has been accepted that certificates should be expensive. The “better” the certificate, the higher the price tag. What are you getting with these different variations of certificates?

Domain Validation – The owner of the domain is required to perform a verification process to ensure the request is legitimate. This can be an e-mail based on the whois information of the domain, a TXT DNS record, or an established administrative contact (postmaster@ or admin@) for the domain.

Organization Validation – The organization owning the domain is validated.  This usually is established through faxing documents or telephone calls to the business to verify ownership.

Extended Validation – The domain owner is verified through official government sources and manual checks. This can include phone calls, verification of physical address, and verification of the government registered business ID.

What is the benefit of the more expensive certificate?

The extended validation certificate will display  in most browsers with a green bar to the left of the domain name. This will display the company name and some sort of padlock.

Let’s Encrypt for Plesk

Odin has created an excellent extension for the Plesk Control Panel.

Check it out on GitHub: https://github.com/plesk/letsencrypt-plesk

Plesk Extension Store: https://ext.plesk.com/packages/f6847e61-33a7-4104-8dc9-d26a0183a8dd-letsencrypt

Let’s Encrypt for Plesk Mail servers and Webmin

Thomas Ehrhardt has created a script that copies your control panel Let’s Encrypt certificate to Postfix, Dovecot, Courier, and Webmin. You can then add it to a cron job to have it check daily if the certificate has been updated. If updated it copies the new certificate and restarts the service.

Check it out on GitHub: https://github.com/Powie/plesk_mailcert

 

About Brian Aldridge

I am a software developer and podcaster. Catch me weekly on Infection - The Survival Podcast at https://infectionpodcast.com

Leave a Reply