Letsencrypt.org started their public beta yesterday. As you may have already figured out due to the topic: You can grab a free ssl certificate for your website – and it doesn’t stop there, you can not only get certificates for your website, but you can also include multiple subdomains – and of course continue with other domains aswell. There are some rate limits:
Rate limit on registrations per IP is currently 10 per 3 hours
Rate limit on certificates per Domain is currently 5 per 7 days
And they do not stop there, they also provide a client, which is supposed to avoid the problems most face with using ssl certificates for their websites. Most people running websites are no it experts – so setting up ssl certificates for those people can become a painful process.
How does it work?
- create an A record for example.com lets say with the ip 126.96.36.199
- connect to the server with the ip 188.8.131.52
- you download the python client from github @ https://github.com/letsencrypt/letsencrypt
- you setup the client by installing the dependencies
- you stop your webserver ( so port 80/443 are free )
- you launch letsencrypt client. It will create a socklisten on the Webserver’s port ( thats why you had to shut down your webserver )
- letsencrypt now calls back home and grabs the certificate files
- letsencrypt saves the certificates/keys etc to /etc/letsencrypt/live
- letsencrypt automatically moves them to your webserver directories
An more detailed example
By default letsencrypt also copies the certs to your webserver directories. Since i am running ipconfig I prefere not to do that. I generate the certificates as stand alone by issuing this command:
Verify that the files are there:
The LetsEncrypt fullchain.pem certificate contains the domain specific cert AND the CA Root cert, i.e it contains the ‘full chain’. The fullchain.pem is your cert file and the privkey.pem is your key file. If you were to load these now inside your ispconfig all you d need to do is to go to the site in question, then tick the “ssl” box. After that head to the “ssl tab”, select “Create” from the dropdown at the bottom of the file and click “Save”.
We at https://internetz.me/ love the idea behind letsencrypt – especially that its free. So we went active today and just rolled out an interface for our webspace clients. New aswell as existing clients can now use this interface:
This interface works very simple:
It starts up the letsencrypt client, generates the needed certificates. It then moves the certificates to the proper folders and updates ISPConfig’s records for you. So simply put: “You hit that green Button and 1 minute later your website uses ssl”.