Security has long been a passion of mine. Today it is cheaper and easier to implement thanks to Let’s Encrypt. This post is designed to help those starting out working with their systems.
Let’s Encrypt is a free, automated, and open certificate authority (CA), run for the public’s benefit. Let’s Encrypt is a service provided by the Internet Security Research Group (ISRG).
The key principles behind Let’s Encrypt are:
- Free: Anyone who owns a domain name can use Let’s Encrypt to obtain a trusted certificate at zero cost.
- Automatic: Software running on a web server can interact with Let’s Encrypt to painlessly obtain a certificate, securely configure it for use, and automatically take care of renewal.
- Secure: Let’s Encrypt will serve as a platform for advancing TLS security best practices, both on the CA side and by helping site operators properly secure their servers.
Security and limitations primer.
You will want to read their(letsencrypt.org) page. This outlines their custom install and update utility. However if you continue reading I shall point you to a much better solution. There is also a (letsencrypt.org) post detailing:
[…] Let’s Encrypt has rate limits for certificate issuance. These limits are in place primarily to protect our services from both accidental and intentional abuse.
The prefered acme-tiny approach.
Overview (from the site).
[…] This is a tiny, auditable script that you can throw on your server to issue and renew Let’s Encrypt certificates. Since it has to be run on your server and have access to your private Let’s Encrypt account key. It was made to be as tiny as possible (currently less than 200 lines). The only prerequisites are
Download and instructions.
The script and instructions for use are available at the(github.com).
This approach will save you many hours if like me you maintain more than one domain. It also allows for as many subdomains as you need all in one command. e.g. www, shop etc.