While setting up a cloud service I decided to finally give letsencrypt.org a try.
Their site lets you create free trusted certificates for website or other SSL/TLS enabled services. In the past to get a cert from a trusted CA there was always a recurring fee so this is a fantastic service that will only help make general security on the internet better. I’ve followed their site for a while but I’ve never used them to generate a certificate.
To generate a certificate you need to prove that you are in control of the service. They provide many ways to do this. If you have ssh access to the server the simplest way to prove ownership and generate a cert is to use their certbot. My server was running Ubuntu 16.04 so I installed certbot with the following command
apt-get install letsencrypt
After reading through the certbot options I decided that in my case the best method would be that standaloneoption. This method starts a listener on the server on port 80 (or 443) and requests a certificate from letsencrypt.org. Then letencrypt.org tries to connect back to the name on the certificate to make sure the listener is running there. Basically this prevents you from generating a certificate from a server that you don’t control. To initiate this I ran the following command using my servers name.
letsencrypt certonly --standalone-supported-challenges http-01 -d my.serversname.com
This starts a wizard that asks you to enter your email address and agree to a licenses. Almost instantly a new certficate is approved and generated. On my server it saved it to “/etc/letsencrypt/live/my.serversname.com/privkey.pem”
Now that I had my new private key I could just copy it into my program and I was up and running!
The only catch is that letsencrypt.org certs expire after 90 days. It’s HIGHLY recomended that the renewal processes is automated using a cron job or scheduled task. I plan on doing this in a follow up post.