Let’s Encrypt


I received an email a week or 2 ago that I was accepted into the EFF’s Let’s Encrypt Beta program to try out their new SSL certificate generation service. It uses the Automated Certificate Management Environment (ACME) protocol. I have been really interested in this program since it was announced as in the past when I have used Start SSL’s certificate system I found their whole validation system to be a little clunky. The idea of a nice automated program that does all the work for me sounded very appealing.

The first thing I had to do was to clone the git repository from github with the scripts to run their program. The first thing I discovered is that yeah this thing is really in beta, I ran the ./letsencrypt-auto command and discovered that nginx isn’t supported yet for plugging the certificate into automatically. This ends up not being that big of a deal since you can just edit your config file and point at the certificate directory.

The biggest weakness I found so far is that I had to shut down nginx to run the let’s encrypt client as it wants to bind to port 80. I think what it is doing is listening on port 80 so that the remote server can verify that I actually own this domain and it is okay to issue this certificate to me. That is nice from a security standpoint but in the documentation they mention running this out of a cron job to update certificates, which if you have to take down the web server might not be ideal. That gets me to the next biggest weakness which is that the certificates expire in 90 days. So far I would say running their app is easier than validating on startssl, but startssl doesn’t need me to take down my web server. They idea I think is that since this is all supposed to be automated you can easily script this out in cron and your system deals with getting new certs and updating them with minimal to no end user interaction after you get it running.

The great things about it is it is pretty fast. Much faster than getting a certificate any other route that I have tried so that sort of offsets having to do it 4 times as much. The price is right cause it is also free. They allow you to have multiple names in your certificate. So now my new cert supports both haskovec.com and www.haskovec.com. I think this process also makes things convenient enough that I hope everyone will start encrypting all their servers by default and using this service.

Whenever I mention something at work about someone using an internal certificate that is self signed I always say they should get a real cert. Hopefully as this gets built out and put into production it will make certificate management so easy and fast that people will just do it by default, and I think that is really when this program is going to pay off for the EFF.