An Introduction to Installing Your First Let’s Encrypt HTTPS Certificate

The usage of https has been so far somewhat restricted on open source projects, because of the cost of acquiring and maintaining certificates. As a result of this and the need to improve Internet security, several projects are working on providing free valid certificates. Among those projects, Let’s Encrypt launched a public beta last week on December, 3 2015.

The Let’s Encrypt Approach

Let’s Encrypt is a Linux Foundation Collaborative project that started to fulfill an Electronic Frontier Foundation – EFF long-term mission to Encrypt the Web. According with EFF, the “aim is to switch hypertext from insecure HTTP to secure HTTPS. That protection is essential in order to defend Internet users against surveillance of the content of their communications; cookie theft, account hijacking and other web security flaws; cookie and ad injection; and some forms of Internet censorship.”.

With that goal in mind, the Let’s Encrypt project is providing free certificates, valid for 90 days. The certificate renewals are also free, and the enrollment procedure is meant to be simple and scriptable. They have proposed an RFC to the Internet Engineering Task Force – IETF for an automatic protocol to manage https certificates, called Automatic Certificate Management Environment (ACME) protocol.

There are several clients that support the ACME protocol, we chose to use letsencrypt. As we’ve just upgraded the LinuxTV server last week, I decided to pioneer the install of the Let’s Encrypt certificates.

How to Use Letsencrypt to Get an https Certificate

The process is actually really simple.

The first step is to clone the letsencrypt script from https://github.com/letsencrypt/letsencrypt with:

$ git clone https://github.com/letsencrypt/letsencrypt

The first time it runs, it will install python dependencies. The script is smart enough to identify the distribution and do the right thing in most cases. I tested it on both Fedora 23 and Debian with similar results, but some distributions like SUSE might require more work:

# cd letsencrypt
# ./letsencrypt-auto
Bootstrapping dependencies for Debian-based OSes...

And, after installing the packages:

And check for the missing dependencies, installing them.
Creating virtual environment...
Updating letsencrypt and virtual environment dependencies.......
Running with virtualenv: sudo /home/mchehab/.local/share/letsencrypt/bin/letsencrypt

It will then proceed to the next step of asking for the e-mail of the admin:

An Introduction to Installing Your First Lets Encrypt HTTPS Certificate - email
It then asks you to agree to the license terms, everything seemed fine to me, so I accepted it:
An Introduction to Installing Your First Lets Encrypt HTTPS Certificate - encrypt-sla

If Let’s Encrypt successfully detects the domains on your server, it will present you with a set of checkboxes to select the domains you want to serve over https.

An Introduction to Installing Your First Lets Encrypt HTTPS Certificate - https_select

If the script can’t detect the domains on the server, it will ask you to type them in, separated by a space:

An Introduction to Installing Your First Lets Encrypt HTTPS Certificate - domains

NOTE: It should be noted that the script needs either root access or sudo access in order to install the needed dependencies and set up the apache server. It also needs to run on the server where the certificates will be installed. Trying to run it on a different machine would cause an error:
Failed authorization procedure.
www.linuxtv.org (http-01): urn:acme:error:unauthorized ::
The client lacks sufficient authorization ::
Invalid response from http://www.linuxtv.org/.well-known/acme-challenge/03ocs4YOeW32134wH3Oo911sv-aJ_SK0B1R_YVCGk [130.149.80.248]: 404, git.linuxtv.org (http-01):
urn:acme:error:unauthorized ::
The client lacks sufficient authorization ::
Invalid response from http://git.linuxtv.org/.well-known/acme-challenge/oPcUtwer423oc2dVqElgVc0HxTjJfuVv1cwk1A-F0 [130.149.80.248]: 404, linuxtv.org (http-01):
urn:acme:error:unauthorized :: The client lacks sufficient authorization ::
Invalid response from http://linuxtv.org/.well-known/acme-challenge/ZuPCq4geW36d6GxcIK_GhIfaH35l1mCNOS9X67HU4 [130.149.80.248]:
404, patchwork.linuxtv.org (tls-sni-01): urn:acme:error:unauthorized ::
The client lacks sufficient authorization :: Correct zName not found for TLS SNI challenge. Found

It then asked me if I wanted to allow both http and https or just https. I chose to allow both, but if your site communicates sensitive information like passwords or personal data, you might consider forcing all connections to use https:

An Introduction to Installing Your First Lets Encrypt HTTPS Certificate - https_type

After that, it created the certificate and updated the /etc/apache2 configurations for all the sites that were enabled:
An Introduction to Installing Your First Lets Encrypt HTTPS Certificate - https_congrats

Starting Using the New Certificates

That’s the most exciting part of the letsencrypt tool: the script adjusted all the configurations on my apache2 server and auto-reloaded it, so there’s no need to do anything to start using it! Ubuntu, Debian, Centos 7, and Fedora are currently the only Linux distros that support automatic configuration, other distributions will likely require manual configurations.

After running the script my apache server was running with the new certs with no downtime! Now visitors to Linux TV can now use https to access the site securely. We are currently working on implementing Let’s Encrypt on our blog and other internal resources here at the OSG. Here’s to a safer and more secure web!

Author: Mauro Carvalho Chehab

Mauro is the maintainer of the Linux kernel media and EDAC subsystems and Tizen on Yocto. He's also a major contributor to the Reliability Availability and Serviceability (RAS) subsystems.

3 thoughts on “An Introduction to Installing Your First Let’s Encrypt HTTPS Certificate”

  1. Hi

    Will it be possible to generate certificates and keys for a particular domain from another system?

    for example I’ve server running on Machine 1 but I want to generate the cert & key from machine 2.

    1. The ACME protocol talks with the server during the authentication, in order to check if a new cert is being requested for it. So, if you want to get the certificate on some other machine, the server needs to be prepared first. I was not able to do it with the official client (letsencrypt), but I didn’t try hard. The is a “manual” mode there that is supposed to allow that. There are also some other client implementations, as mentioned at https://community.letsencrypt.org/t/list-of-client-implementations/2103, and I saw some comments of people using those other clients in order to be able to do what you want to do.

  2. Can I use Let’s Encrypt HTTPS Certificate for my private web server or the domain name must be a public and registered domain?

Comments are closed.