Introduction to Let's Encrypt

Let's Encrypt is a certificate authority that provides TLS certificates for free. Let's Encrypt is one of the most active services currently helping make web communications completely encrypted. This service relies on funds raised from various companies. In 2017, Let's Encrypt's operating costs were only 3 millions dollars, to serve almost 50 million active certificates! As a comparison, the same year, HADOPI, a French government service that aims to fight online media piracy, spent 7.5 million euros (about 8.6 million dollars) on sending about 2 million notification emails and 88 fees.

The success of Let's Encrypt is not only due to the fact that it is free, but also due to the tools provided to automate the retrieval and renewal of certificates. Nevertheless, Let's Encrypt is a very serious, official certificate authority. As such, in order to obtain a certificate, one has to prove that one owns the domain name for which the certificate is requested. There are two ways to prove this ownership:

  • By adding a DNS record for the requested domain name
  • By putting a resource file on an HTTP server running on the domain name

These operations can be done manually or automatically. The protocol used to issue the certificates is called the Automated Certificate Management Environment (ACME) protocol. Issued certificates are valid for 90 days. This is a period much shorter than the one usually used by other certificate authorities. This choice was driven by two aims:

  • This limits the security impact in cases where private keys and certificates are stolen from a server. The stolen credentials are valid for at most 90 days.
  • This encourages the use of automation for certificate renewal.

The tool provided by Let's Encrypt is called Certbot. This command-line tool allows us to request new certificates and renew them. Some additional tooling is necessary to use automatic renewal of certificates. A simple way to do this is via a cron job, or a systemd timer. Another even simpler way is to use a higher-level tool such as Traefik that implements the ACME protocol.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.227.111.208