WHAT
Let’s Encrypt is a non-profit certificate authority run by Internet Security Research Group( ISRG -California public benefit organization), provides X.509 certificates for Transport Layer Security encryption without any charges. Let’s Encrypt founded in 2014 in part by the Electronic Frontier Foundation and is backed by Akamai, Google, Facebook, Mozilla and many more. Later with the popularity the certificate issuer has become trusted by the major players including Apple, Google, Microsoft, Oracle and many more.
WHY
The eCommerce world has many data breaches, and they’re rapidly growing. Without SSL, your website visitors and customers are at higher risk of being having their data stolen, especially the site which involve personal/important/confidential data transfer. The SSL Certificate for any site is a basic requirement nowadays. With SSL, we can protect websites from attack, reducing the risk of hacking, eavesdropping and man-in-the-middle attacks. Also provides strong encryption to protect the users’ information from phishing scams & attacks.
Few Popular companies providing SSL Certs are Thawte, RapidSSL, GoDaddy, DigiCert, GeoTrust, Network Solutions, Symantec, COMODO etc.
The companies name the types as they like, but the common three types of SSL Certificate available today are
- Domain Validated (DV SSL) – Low Cost – Issued Immediately
- Organization Validated (OV SSL) – Medium Cost – Issued in a day/two
- Extended Validation (EV SSL) – High Cost – Issued within three days
With Domain Validated DV certificates only requiring proof that the website owner could demonstrate administrative control over the domain where as Organization Validated OV certificates also include some identity information about the site operator and it is not as prominently displayed in the browser.
An Extended Validation SSL Certificate (EV SSL) is the highest form of SSL Certificate in the market. During verification of an EV SSL Certificate, the owner of the website passes a thorough and globally standardized identity verification process to prove exclusive rights to use a domain, confirm its legal, operational and physical existence, and prove the entity has authorized the issuance of the certificate.
Website with EV SSL Certificate usually shows green padlock and organization name.
Let’s Encrypt offers DV certificates and it’s suitable for smaller and more personal sites, larger business and e-commerce sites often require a higher level of validation.
We can say Let’s Encrypt is a not a poor option as it’s backed by some of the world’s largest companies – including Facebook, Mozilla, and Google. But Sites that are secured with OV and EV certificates are displayed as secure in browsers and it is vital for improving visitor confidence to the site.
HOW
With shell access use the Certbot ACME client. It can automate certificate issuance and installation with no downtime and works on many operating systems
Without shell access use the built-in support from your hosting provider. Most of the hosting provider now support Let’s Encrypt
Let’s Encrypt supports two methods of validation to prove control of your domain
http-01 (validation over HTTP) – Posting a specified file in a specified location on a web site
dns-01 (validation over DNS) – Posting a specified DNS record in the domain name system
What type of certificates available with Let’s Encrypt – Lets Encrypt provides Domain Validated SSL certs, initially supports only single domain and Now supports wildcard certificates and SAN Certificates (Subject Alternative Name Certificates lets you specify additional domain names to be protected by a single SSL Certificate.
Let’s Encrypt uses the ACME protocol to verify that you control a given domain name and to issue you a certificate. To get a Let’s Encrypt certificate, you’ll need to choose a piece of ACME client software to use. Let’s Encrypt supports the ACMEv2 API, which is compatible with the final ACME standard. Older ACMEv1 API will be phased out in 2020/2021.Most of the new clients supports ACMEv2.Few Popular ACME clients are
Certbot, acme.sh – Linux Bash Script, Apache httpd Support via the module mod_md, Ansible acme_certificate module, ZeroSSL by Docker, HAProxy client, Azure WebApp SSL Manager, Nginx ACME, Acme PHP, ACME Tiny, acme-cert-tool, Python acme module etc
Other Projects integrating with Let’s Encrypt are cPanel, pfSense, Certhub, Apache HTTP Server, Cloudfleet. ISPConfig etc…
Certbot: Certbot is a free open source tool for to create and manage Let’s Encrypt certificates. Certbot client supports two types of plugins for obtaining and installing certificates: authenticators and installers.
Authenticators are plugins used with the certonly command to obtain a certificate. The authenticator validates that you control the domain(s) you are requesting a certificate for, obtains a certificate for the specified domain(s), and places the certificate in the /etc/letsencrypt directory on your machine
Installers are Plugins used with the install command to install a certificate. These plugins can modify your webserver’s configuration to serve your website over HTTPS using certificates obtained by certbot. Available plugins are Apache, Nginx, Webroot, Standalone, DNS etc…
Example:
certbot –apache (Make sure to take configuration backup – In case of reversion – certbot –apache rollback)
certbot –nginx (Make sure to take configuration backup – In case of reversion – certbot –nginx rollback)
certbot certonly –webroot -w /var/www/html -d www.example.com -d example.com -w /var/www/other -d other.example.net -d another.other.example.net
If you’re getting a certificate for many domains at once, the plugin needs to know where each domain’s files are served from, which could potentially be a separate directory for each domain. When requesting a certificate for multiple domains, each domain will use the most recently specified –webroot-path. So, for instance would obtain a single certificate for all of those names, using the /var/www/example webroot directory for the first two, and /var/www/other for the second two. The webroot plugin works by creating a temporary file for each of your requested domains in ${webroot-path}/.well-known/acme-challenge.
DNS Plugins – To get the list of built-in hosting provider please check https://certbot.eff.org/hosting_providers
PfSense (pfSense is a free and open source Firewall/Load Balancer/Router software)is the very good frontend tooll to manage Lets Encrypt Certificates with the additional ACME Plugins. With this you can create, manage and renew Lets Encrypt Certificates easily.