Leland.me is now running over HTTPS, making it the last of my main websites (the others being Themetry and WP Chat) to be served over an insecure protocol.

I set it up using Let’s Encrypt, a new certificate authority that’s been generating a lot of buzz lately.

And for good reason: SSL certificates typically cost money and have a lot of manual, tedious installation steps.

Let’s Encrypt certificates are not only free, but many of those aforementioned tedious installation steps are automated.

The old and busted CA way of doing things

Let’s look back to my post on setting Discourse up on HTTPS.

Here’s what I had to do:

  • SSH into server
  • Generate a CSR and private key
  • Copy CSR to clipboard
  • Buy a certificate at a certificate authority
  • Paste CSR in a box on the CA’s website
  • Pick an email address to verify your domain ownership
  • Wait for the email to arrive
  • Click a confirmation link in the email when it arrives
  • Wait a few more minutes for the CA to send you all the certificate files
  • Bundle the certificate files
  • Save the bundle on your server
  • Reference the bundle and restart your web server for everything to take effect

Let’s Encrypt is a breath of fresh air in comparison.

The new hotness CA way of doing things

  • Make sure your domain is pointing to the same server (it should be anyway).
  • Install the Let’s Encrypt client on your server (aka clone a GitHub repository).
  • Run the client, answer a few questions like what domain you want a certificate for.
  • Adjust Nginx server block to reference your free, instantly generated SSL certificate. Restart.

And voila, that’s it. No more messing around with confusing certificate files and waiting around for emails to come through. Everything is pretty much instantaneous.

But StartSSL was already free!

You’ll notice I mentioned this in my Discourse over SSL post, but I still used a paid alternative. This is because StartSSL’s “free” certificates aren’t free when you need to re-issue them. They’re a commercial entity, and need to make money somehow.

This isn’t just about price. Let’s Encrypt is a non-profit organization whose sole purpose is making the internet a more secure place.

Not to mention, you still have to go through the “old and busted” process as outlined above if using StartSSL. It’s not exactly the most user-friendly process in the world.

How you can use a Let’s Encrypt certificate

First, you’re going to either need to manage your own private server (virtual or otherwise) or have the cooperation of a web host who does.

Considering many web hosts like to “upsell” installing SSL certificates for their customers, and many web hosts are overpriced certificate authorities themselves (*cough* GoDaddy *cough*), I wouldn’t hold your breath on the latter option.

I use an Ubuntu 14.04 VPS running Nginx, provided by Digital Ocean. They provide an excellent tutorial for exactly that.

Remember to set up an auto-renew process, as Let’s Encrypt certificates are only valid for three months at a time.

2 Comments

  1. I’d like to use Let’s encrypt but most of my sites are on shared hosting. It seems a lot of hosts are trying to accept Lets Encrypt but yeah a lot make money selling SSL certs. So what is the motivation? You can do it manually but since the cert is only valid for 3 months I buy Comodo certs. Might go with a vps soon for better speeds. Would be nice to have more companies use the LE software for automatic reissue.

    1. “It seems a lot of hosts are trying to accept Lets Encrypt but yeah a lot make money selling SSL certs. So what is the motivation?”

      There’s not.

      Even before Let’s Encrypt was a thing, many web hosts forced you to pay for more expensive plans for the privilege of using an SSL certificate.

      I find this “upsell at the expense of internet security” attitude repugnant, but not surprising.

      I’d imagine as more progressive hosts start supporting Let’s Encrypt at no additional charge, competitive forces will “change the minds” of the remaining hold outs over time.

Leave a Reply

Your email address will not be published. Required fields are marked *