Let’s Encrypt is a certificate authority that offers digital certificates which can be used to enable https (ssl/tls) on websites for free, including support for the ACME DNS challenge, ECDSA signing, IPv6, and Internationalized Domain Names.
It’s aim is to provide free SSL to all websites on the internet so that all web traffic is encrypted – without the need for a dedicated IP. I’m currently using letsencrypt ssl certificates on some of my WordPress and Joomla-powered sites.
Let’s Encrypt is a project of non-profit Internet Security Research Group (ISRG) and it is sponsored by many companies including Facebook, Chrome, DigitalOcean, Ford Foundation, Mozilla, Automattic, Cisco, etc. Although, this is not really a letsencrypt review, but this post will let you understand the basics of Let’s Encrypt and how it works.
The key principles behind Let’s Encrypt are:
- Free: Anyone who owns a domain name can use Let’s Encrypt to obtain a trusted certificate at zero cost.
- Automatic: Software running on a web server can interact with Let’s Encrypt to painlessly obtain a certificate, securely configure it for use, and automatically take care of renewal.
- Secure: Let’s Encrypt will serve as a platform for advancing TLS security best practices, both on the CA side and by helping site operators properly secure their servers.
- Transparent: All certificates issued or revoked will be publicly recorded and available for anyone to inspect.
- Open: The automatic issuance and renewal protocol will be published as an open standard that others can adopt.
- Cooperative: Much like the underlying Internet protocols themselves, Let’s Encrypt is a joint effort to benefit the community, beyond the control of any one organization.
To enable HTTPS on your website, you need to get a certificate (a type of file) from a Certificate Authority (CA). Let’s Encrypt is a CA. In order to get a certificate for your website’s domain from Let’s Encrypt, you have to demonstrate control over the domain. With Let’s Encrypt, you do this using software that uses the ACME protocol
, which typically runs on your web host.
The ACME protocol for issuing and managing certificates is at the heart of how Let’s Encrypt works. The ACME specification
itself is also open source. This protocol was designed to automate the management of domain-validation certificates, based on a simple JSON-over-HTTPS interface. If you have some programming skills, you can check all the Let’s Encrypt code and protocol specifications on GitHub
To figure out what method will work best for you in enabling https using letsencrypt, you will need to know whether you have shell access (also known as SSH access) to your web host. If you manage your website entirely through a control panel like cPanel, Plesk, or WordPress, there’s a good chance you don’t have shell access. You can ask your hosting provider to be sure.
With Shell Access
With Shell Access, Let’s Encrypt recommends the certbot client
which is written in Python and follows the specifications of the ACME protocol. It can automate certificate issuance and installation with no downtime. It works on many operating systems, and has great documentation
If Certbot does not meet your needs, or you’d like to try something else, there are many more ACME clients
written in different programming languages to choose from including AcmePHP
. Once you’ve chosen ACME client software, see the documentation for that client to proceed.
Without Shell Access
The best way to use Let’s Encrypt without shell access is by using built-in support from your web hosting provider. If your hosting provider offers Let’s Encrypt support, they can request a free certificate on your behalf, install it, and keep it up-to-date automatically. For some hosting providers, this is a configuration setting you need to turn on. Other providers automatically request and install certificates for all their customers.
If your hosting provider does not support Let’s Encrypt, you can contact them to request support.
If your hosting provider doesn’t want to integrate Let’s Encrypt, but does support uploading custom certificates, you can install Certbot on your own computer and use it in manual mode
. In manual mode, you upload a specific file to your website to prove your control. Certbot will then retrieve a certificate that you can upload to your hosting provider. Alternatively, you can try sslforfree.com
Let’s Encrypt certificates currently have a ninety-day lifetime. Hate it or love it, all SSL certificates issued by Let’s Encrypt have a 90-day expiration. There is no exception and you can’t obtain a certificate with a longer expiration, let’s say 1 year (or longer), as you would normally do today from any other certificate authority. However, it can be auto-renewed before expiration.
Let’s Encrypt certificates are known to be currently incompatible with the some devices including the ones listed below :
- Blackberry OS 10, 7, & 6 but versions >= 10.3.3 work.
- Android 2.3.5 (HTC Wildfire S, Stock Browser)
- Windows XP prior to SP3
Let’s Encrypt is cool and can help in enabling https on your blogs without having to break the bank. However, it’s also really unlikely that Let’s Encrypt will replace the current market of SSL certificates, mostly because of the lack of support for some types of certificates currently widely adopted, such as the wildcard and EV certificates.
Are you using Letsencrypt?
Does your web hosting company supports it? Kindly let me hear from you via comments.