HTTPS is easy and completely free!

After watching a talk about encryption from Yan Zhu online (JSConf Budapest 2016 – Encrypt the Web For $0) I decided to try Let’s Encrypt again to enable HTTPS on a website. I used Let’s encrypt before in November 2015. At that time the Let’s Encrypt project was in private beta and required a lot of manual configuration to get things configured. But right now the tools to configure Let’s encrypt seem really really mature.

Let’s Encrypt!

To enable HTTPS on a website, you need to get a certificate file from a Certificate Authority (CA). Let’s Encrypt is a Certificate Authority.

My server runs Debian Jessie (version 8) and the webserver is Apache (version 2.4). I have access to the server through SSH. When shell access is available, Let’s Encrypt recommend to use the Certbot ACME client. It can automate certificate issuance and installation without downtime.

Configure webserver with Certbot

First add backports to the Debian /etc/apt/sources.list config.

deb http://ftp.debian.org/debian jessie-backports main

Install the Cerbot client.

# apt-get install python-certbot-apache -t jessie-backports

Start the interactive configuration process to enable HTTPS for the selected websites.

# certbot --apache

That’s it already! Now everything should be configured!

Optionally test your new Apache config with the following command

# apachectl configtest

The Certbot packages come with a cron job that will renew certificates automatically before they expire. Let’s Encrypt certificates last for 90 days. To test the certificate renewal

# certbot renew --dry-run

Test host certificate

The free online SSL Server Test from Qualys SSL Labs performs a deep analysis of the configuration of any SSL web server on the public Internet. Go test your new configured website.

https://www.ssllabs.com/ssltest/index.html

Resources