Letsencypt quick start
A little guide with the bare minimum you want to know before start using Let’s Encrypt.
- CA — Certificate Authority
- PKIX — Public Key Infrastructure X.509
- JWS — JSON Web Signature
- ACME — Automatic Certificate Management Environment
What is Let’s Encypt
Let's Encrypt is a CA.
To enable HTTPS on your website, you need to obtain a PKIX certificate file from a CA.
In order to get a certificate for your website’s domain from Let’s Encrypt, you have to demonstrate control over the domain by passing a challenge.
A challenge is one of three tasks that only someone who controls the domain should be able to accomplish:
- Posting a specified file in a specified location on a web site (the HTTP-01 challenge)
- Offering a specified temporary certificate on a web site (the TLS-SNI-01 challenge)
- Posting a specified DNS record in the domain name system (the DNS-01 challenge)
TLS-SNI-01 challenge doesn’t work with CDNs, because the domain name is pointed at the CDN, not directly at your server.
With Let’s Encrypt, it is usually done by running software that uses the ACME protocol, which typically runs on your web host. It is recommended to use Certbot, but there are tons of others to choose in a form of plugins, libraries or whatever.
If you don’t have shell access to your server, you might need to check with your hosting provider.
What is certificate
PKIX certificates are used for a number of purposes, the most significant of which is the authentication of domain names.
Different types of certificates reflect different kinds of CA verification of information about the certificate subject:
- “Domain Validation" (DV) certificates are by far the most common type. CA is only required to verify that the requester has control over the domain.
- “Organization Validation" (OV) and "Extended Validation" (EV) certificates: in those cases the process is intended to also verify the real-world identity of the requester.
What is ACME
In general, CA’s use a set of ad hoc protocols for identity verification and protocol issuance. Typically it looks something like:
- Generate a PKCS#10 Certificate Signing Request
- Cut-and-paste the CSR (Certificate Signing Request) into a CA’s web page
- Prove ownership of the domain by one of the following methods:
- Put a CA-provided challenge at a specific place on the web-server
- Put a CA-provided challenge in a DNS record of a domain
- Receive a CA-provided challenge at admin-controlled email corresponding to the domain
- Download the issued certificate and install it on a web server
Following those instructions manually can be confusing and time consuming. ACME is here to help.
ACME represents a framework for automating the issuance, allowing software to obtain certificates without user interaction. It takes care of certificates auto-renewal and related maintenance.
Communications between an ACME client and an ACME server are done over HTTPS, using JWS. ACME server is structured as a REST application, exposing a number of REST endpoints.
How letsencypt tool works
letsencypt is a ACME client, a program implementing ACME protocol, which is used for certificate management: actions like issuance, renewal, revoking and such. It connects to ACME server for certificates processing.
At the ubuntu installation, it creates a systemd unit ‘certbot.timer’ that runs twice per day and auto renews the certs that are about to expire.
ACME spec: https://ietf-wg-acme.github.io/acme/draft-ietf-acme-acme.html
Certbot docs: https://certbot.eff.org/docs/