This is the next article in a series about TLS/SSL certificates. In the first one I focused on explaining what types of certificates are used, what are the pros and cons of each one and how to implement certificates on your website with Nginx webserver as an example.
Link to this article: https://kbrzozova.medium.com/all-you-need-to-know-about-ssl-certificates-part-1-1f6f9b665650
Today we will focus on Let’s Encrypt certificates. What is this, why so many websites are using it, and when it’s a good idea to use it?
In the previous article, you’ve learned about different types of certificates and we’ve learned that the most secure, EV certificate, is also the most expensive.
BUT! What if I told you that Let’s Encrypt certificate is completely free? You will probably think that it’s nice to have a free certificate, but is it a good certificate to use on a production?
Let’s Encrypt is a certificate authority that verifies the ownership of domain in an automated way using a Certbot.
Certbot is a tool that is basically responsible for analyzing the ownership of a domain and there are 3 ways to do it. You can choose one of these Certbot challenges:
HTTP-01 — most popular option. This challenge uses port 80 and is not available for wildcard certificates. If you want to know more about wildcard certificates, read my previous article -> https://kbrzozova.medium.com/all-you-need-to-know-about-ssl-certificates-part-1-1f6f9b665650
DNS-01 — requires you to create a TXT record. This option is suitable also for wildcard certificates and works well for multiple webservers.
TLS-SNI-01 and TLS-ALPN-01 are deprecated, so we will not cover it in this article. However, you can read more about them in a link below.
If you want to read in details how this challenges differ, check this article from LEt’s Encrypt:letsencrypt.org/docs/challenge-types
Let’s Encrypt issues the SSL/TLS certificate if one of these steps is successful.
What is important, this certificate is renewed every 30–90 days which is quite short compared to other paid certificates that are generated for 1 or more years.
Requirements
In order to use Let’s Encrypt you have to install Certbot on a webserver.
Here is an example instruction on how you can install Certbot on Ubuntu: https://learnubuntu.com/install-certbot/
The next step after the installation process is to create a new SSL certificate for the domain example.com. Here is a command that will take care of this:
sudo certbot certonly --standalone -d example.com
With this command Certbot will use standalone server to verify the ownership of the domain and then generate a new SSL/TLS certificate.
You can also run Certbot with --nginx
flag which use the Nginx plugin to handle the challenges and install the certificate into Nginx automatically.
sudo certbot certonly --nginx -d example.com -d www.example.com
Do you wonder, how to renew certificate? Certbot is doing it automatically by a cronjob in /etc/cron.d/certbot. It’s basically triggering Certbot twice a day to renew a certificate when it’s due for renewal. You don’t have to do anything here.
Just make sure that Certbot is running properly and of course, monitoring expiring certificates would be a good idea!
Certbot can be run in dry mode. Add
--dry-run
flag to command.
If we have a certificate, we can add it to our Nginx configuration. Here is an example of configuration:
server {
listen 80;
server_name example.com;
location / {
return 301 https://$host$request_uri;
}
}
server {
listen 443 ssl;
server_name example.com;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
}
As Let’s Encrypt offers a free certificate, it’s often chosen by admins.
It provides encrypted connection as all certificates, however only offers domain validation. It means that Let's Encrypt verifies control over the domain, not the organization, so you can’t be sure who actually owns the domain. Is it some bad hacker? Possible!
What you should keep in mind when using Let’s Encrypt is:
you can use it in a test environment, but you shouldn’t do it in a production
you should take care of monitoring certificate expiration
you should configure a network to allow communication on ports 80 and 433 which are used by Certbot. It may require additional configuration if the site is hidden behind an application firewall like Cloudflare or Akamai. Yeah, I know you don’t like to hear it.
you can install Certbot on a host that has access to the Internet. If not directly, you can use a proxy server to get along with the verification and renewal process.
How to configure Certbot on a private server?
As mentioned before, if your server is private, you should configure a proxy server to be able to run Certbot.
If you are using HTTP-01 as a validation process, it is crucial to allow forwarding HTTP requests at
http://example.com/.well-known/acme-challenge/
to a private server.For DNS-01 configure DNS to delegate the
_acme-challenge.example.com
subdomain to the private server's DNS.Allow incoming traffic from the proxy server on 80 and 443 which are used by Certbot.
Summary
In this article, I focused on explaining what is Let’s Encrypt certificate, when to use is and when you shouldn’t do it. Also, we covered topics like how to configure it properly based on Nginx webserver and what things we should keep in mind when choosing Let’s Encrypt.
In the next articles, we will learn more about potential attack surfaces, popular attacks related to SSL/TLS certificates, and how actually certificates work under the hood including SSL handshake, so stay tuned.