Generating free trusted SSL certificates with Let's Encrypt
I've always hated the idea of having to pay for SSL certificates. You could always generate them yourself for free with OpenSSL and they're just as secure as the paid ones. But if you're running a public-facing website, you're pretty much stuck and have to pay for one if you don't want your visitors seeing security warnings in their browser. At least that was the case until Let's Encrypt, a free certificate authority, came along.
Let's Encrypt not only makes issuing of browser-trusted SSL certificates 100% free, it makes the process much easier as well. For example, here's a typical process for obtaining a basic paid SSL certificate:
- You generate a certificate signing request (CSR), entering the necessary information.
- You place the order with the CSR.
- You get an email to click a link to verify you own the domain the certificate was issued to.
- Wait for the certificate authority to email you the certificates.
- You may get multiple certificates and you may need to concatenate them together yourself.
They're usually only good for 1 year so you need to make sure you make a note of it and renew your certificate before it expires or your users will see security warnings.
With Let's Encrypt, you can easily do this in one command line. Here are the steps (tested on Ubuntu 14.04):
1. Install the certbot client.
git clone https://github.com/certbot/certbot
2. Run the command.
cd certbot && ./certbot-auto certonly --noninteractive --agree-tos --standalone --email email@example.com -d www.mydomain.com
This command will generate the certs and key in /etc/letsencrypt/live/www.mydomain.com. For the cert, you'd normally want to grab/reference the generated fullchain.pem file.
The generated certificate is only valid for 90 days, but you can schedule to run a command daily via cron to automatically renew it (you can run the command at any time, but nothing actually happens until the cert is due for renewal, so it's safe to just schedule it to run daily to keep things simple):
./certbot-auto renew --standalone --no-self-upgrade --pre-hook "service nginx stop" --post-hook "service nginx start" --quiet
We're currently using it in Highview Apps, and since we're building a bunch of Shopify apps and using multiple subdomains for each app (plus separate subdomains for staging environments), the savings could really add up both in time and money.
As of this writing, Let's Encrypt has so far issued over 4 million free SSL certs!