There is a general trend towards making all websites available over HTTPS. For public-facing sites, Google will take into account whether sites use HTTPS as part of their ranking algorithm. On internal sites, users are starting to expect a more secure connection. Even if your users aren’t asking for HTTPS, sometimes the right thing to do is lead them by the hand.
It Wasn’t Easy…
To provide an HTTPS connection, the site needs a TLS certificate (formally known as an SSL certificate). Historically, to obtain a TLS certificate, there were two options:
- Buy a certificate from one of the big Certificate Authorities (CA), such as Comodo; or
- Use a “self-signed” certificate
The issues around buying a certificate from one of the major Certificate Authorities include:
- Cost
- Complexity – they required someone to generate a Certificate Signing Request (CSR) and submit it to the CA. Once the certificate was issued, it needed to be added to the web server configuration
- Reliance on email – the CA would typically send an email to a predetermined address on the domain in question. That email would contain a link which, when clicked, would authorise the CA to issue the certificate. In these days of spam and email filtering, actually receiving that email can be one of the more challenging steps.
- Time – to carry out the above actions requires time from a number of people, including waiting for that email.
Using a self-signed certificate avoids the cost, but still requires the other steps. In addition, unless you jump through some hoops, users will have to “accept” the certificate when they first visit the site.
…But It’s Easier Now
In 2014, a number of companies including the Electronic Frontier Foundation, Mozilla and Cisco created Let’s Encrypt, a Certificate Authority that provides free certificates. These are “only” domain-validated certificates as the process for such certificates can be fully automated ( Organization Validation and Extended Validation Certificates are unlikely to be made available). However, domain-validated certificates are perfectly adequate for the vast majority of cases.
The certificates are valid for 90 days, which initially sounds like a very short period, but the beauty of the system is that it is relatively straightforward to arrange for them to be automatically renewed. Once set up, when the certificates have only a predetermined number of days of validity remaining, they are renewed transparently.
The necessary software – all Open Source – is already part of the Debian Linux distribution, and can be downloaded to others.
Setting Up Let’s Encrypt on Debian
Here’s a quick summary of the steps needed to set up Let’s Encrypt on Debian (Jessie and later).
- Download or otherwise install the
dehydrated
client:
apt-get install dehydrated
Add configuration in /etc/dehydrated/config
:
# dehydrated main configuration CONFIG_D=/etc/dehydrated/conf.d BASEDIR=/var/lib/dehydrated WELLKNOWN="${BASEDIR}/acme-challenges"
- Create
/etc/dehydrated/domains.txt
and add domains, one line per certificate and with space-separatedsubjectAltName
. For example:
mail.example.com www.example.com example.com
- Publish
/var/lib/dehydrated/acme-challenges
as/.well-known/acme-challenge
to the world. Note that this must be accessible via HTTP (port 80). Use thedehydrated-apache2
package, or manual configuration; for example, in Apache:
# /etc/apache2/conf-available/acme-challenge.conf Alias /.well-known/acme-challenge /var/lib/dehydrated/acme-challenges <Directory /var/lib/dehydrated/acme-challenges> Require all granted AllowOverride none DirectoryIndex off </Directory>
- Run
dehydrated -c
to request the certificates, which will end up in/var/lib/dehydrated/certs
. - For ongoing renewal,
dehydrated
should be run incron
mode (-c
) on a regular basis. This will renew certificates with less that 30 days’ validity remaining, so for example/etc/cron.weekly/dehydrated
might be:
#!/bin/sh /usr/bin/dehydrated -c | logger -t "dehydrated" --
Using The Certificates
The certificates will be created in /var/lib/dehydrated/certs/$DOMAIN/
. An Apache configuration example:
SSLEngine On SSLCertificateFile /var/lib/letsencrypt.sh/certs/www.example.com/fullchain.pem SSLCertificateKeyFile /var/lib/letsencrypt.sh/certs/www.example.com/privkey.pem SSLProtocol All -SSLv2 -SSLv3 SSLHonorCipherOrder On SSLCipherSuite HIGH:!aNULL
Further Information
- The Wikipedia Let’s Encrypt page
- The Let’s Encrypt website
Could This Linux Tip Be Improved?
Let us know in the comments below.