Today I played with LetsEncrypt which is a community effort with commercial backing the likes of Mozilla, Cisco, EFF & a wealth of others. The basic premise is that security should be straight-forward & accessible to everyone. The easier & more accessible security is, the more people will take advantage of it. LetsEncrypt is a collection of tools wrapped in a Python utility called letsencrypt-auto. Using this single command it's possible to generate, install, renew & revoke certificates programmatically from the commandline.

In order for LetsEncrypt to work you need to have a webroot that will allow the utility to create an empty hidden directory named .well_known/. LetsEncrypt utilizes this empty directory as a way to verify the authenticity of your domain. Note that the generated certificates, keys & chains are not stored in this hidden directory, it is simply used as a token for verification.

Once your webserver is configured, run the following command to generate certificates & produce a configuration file for your web site (in this case Apache) that is preconfigured with SSL:

$ sudo ./letsencrypt-auto install --webroot /var/www/html -d tech.superk.org \
  --cert-path /etc/letsencrypt/live/tech.superk.org/cert.pem \
  --key-path /etc/letsencrypt/live/tech.superk.org/privkey.pem \
  --chain-path /etc/letsencrypt/live/tech.superk.org/chain.pem

There are some other commands that work in different scenerios including an experimental 'standalone' option that runs it's own webserver if you don't want to configure your webroot to allow for the creation of the verification hidden directory. Run ./letsencrypt-auto --help for more details or visit their documentation online.

As you can probably gather from the command above, LetsEncrypt stores your cert, key & chain information in /etc/letsencrypt/live/<domain_name>. The live/ directory contains the current version of your certificate & related files.

The install option will generate a new configuration for your site in /etc/httpd/conf.d (this is example is for CentOS 7 - other servers will have different paths). For my example, I had a configuration file called grav.conf which contains the configuration for this blog but only for HTTP access (non-SSL). After I ran the above command it popped up an ncurses prompt asking if I wanted to make my configuration "Easy" or "Secure". "Easy" meaning both HTTP & HTTPS were available while "Secure" would add lines to the grav.conf to force-rewrite all HTTP requests to HTTPS. Additionally either option generated a new configuration file named grav-le-ssl.conf that mirrored grav.conf but with SSL configuration already done & pointing to the certs, keys, chains you specified.

Installation Prompt