Article Image

Let's Encrypt

Blog Logo
on
read

Let's Encrypt

About 6 months ago, Lets Encrypt was brought to my attention as I was once again scowering the internet for a cheap provider of SSL certificates. I run a handful of small websites where providing reliable encryption makes a lot of sense, especially given that passwords are often reused :)

It immediately looked promising. If you go to their website, you'll notice they have a ton of small backers, like: EFF, Chrome, Cisco, Mozilla, Facebook, Shopify, and many many more.

The Past

Before let's encrypt, I used a combination of two solutions:

My Own Certificate Authority

My first step was to generate my own root CA. I then generated the various certificates needed for my sites, and installed the root CA on all my devices.

This worked fine... but I still wanted to access certain internal tooling from other devices, and it was annoying every time it warned me. And it was annoying to keep up-to-date.

Oh, and also, Android felt the need to inform me I had a custom certificate installed on my phone.. All. The. Time.

Cloudflare

In combination with my own root CA, I used Cloudflare to obtain a free SSL certificate and sit a a CDN/DDoS protection infront of my website. One of the great things is you can put it in unvalidated mode, where it uses downstream SSL, but won't validate the ceritificate.

Their service is great, but they do want to control your entire domain, meaning that you're restricted to their nameservers. I didn't want to use them for all my domains.

The Future: Let's Encrypt

History

After about a year of these ad-hoc solutions, I discovered Let's Encrypt. When I first found it, it hadn't released yet, but a few months later, it was out and available for use.

Their scripts were a little bit over-controlling for my taste. The scripts managed everything from obtaining a certificate, to installing, updating your server's config, and renewing. It basically wants to know your entire stack. With my solutions, I prefer a little less magic involved.

I then found that there were some people beginning to write their own scripts that follow the ACME protocol.

The first I started to use was letsencrypt-nosudo, which implements ACME in a way that doesn't need sudo, but the process still required a few manual steps. This worked fine for a while, but I did eventually need some automation since their certificates expires after 3 months (Which I'd argue is a good thing, as it forces you to keep track of your certificates!)

My Solution

Finally, I landed at acme-tiny and my wrapper script acme-tiny-manager. acme-tiny is a great script that does the negotiation with lets encrypt after you've generated the appropriate keys via openssl. My script, acme-tiny-manager, will make that a fully automated process, and creates a file system structural so renewal can happen without any user input.

I now have all my sites, both public and internal, using strong encryption. I feel happy with my solution, and I'd highly recommend let's encrypt if you're looking for a way to secure your sites.

Written by
Blog Logo

Christopher LaPointe

Published

Supported by

Interested in Related Posts from this Site?

Jenkinsfile Pipeline

December 20, 2017: # Jenkins Declarative Pipeline The `Jenkinsfile` (or rather, declarative pipelines in general) has been one...

Routing Your Events with UbSub

September 14, 2017: # PubSub & The Events Problem After I started to play more and more with...

SshSysMon

April 01, 2016: SshSysMon Ssh System Monitor (SshSysMon) is a system monitoring and alerting tool that operates purely...

Linux Router Home Network

February 21, 2018: # Linux Router Home Network I have a fairly complicated network at home... at least...

Image

Chris LaPointe

Another site of Code

Back to Overview