Letsencypt quick start

A little guide with the bare minimum you want to know before start using Let’s Encrypt.

Glossary

What is Let’s Encypt

Let's Encrypt is a CA.

To enable HTTPS on your website, you need to obtain a PKIX certificate file from a CA.

In order to get a certificate for your website’s domain from Let’s Encrypt, you have to demonstrate control over the domain by passing a challenge. 

A challenge is one of three tasks that only someone who controls the domain should be able to accomplish:

TLS-SNI-01 challenge doesn’t work with CDNs, because the domain name is pointed at the CDN, not directly at your server.

With Let’s Encrypt, it is usually done by running software that uses the ACME protocol, which typically runs on your web host. It is recommended to use Certbot, but there are tons of others to choose in a form of plugins, libraries or whatever.

If you don’t have shell access to your server, you might need to check with your hosting provider.

What is certificate

PKIX certificates are used for a number of purposes, the most significant of which is the authentication of domain names.

Different types of certificates reflect different kinds of CA verification of information about the certificate subject:

What is ACME

In general, CA’s use a set of ad hoc protocols for identity verification and protocol issuance. Typically it looks something like:

Following those instructions manually can be confusing and time consuming. ACME is here to help.

ACME represents a framework for automating the issuance, allowing software to obtain certificates without user interaction. It takes care of certificates auto-renewal and related maintenance.

Communications between an ACME client and an ACME server are done over HTTPS, using JWS. ACME server is structured as a REST application, exposing a number of REST endpoints.

How letsencypt tool works

letsencypt is a ACME client, a program implementing ACME protocol, which is used for certificate management: actions like issuance, renewal, revoking and such. It connects to ACME server for certificates processing.

At the ubuntu installation, it creates a systemd unit ‘certbot.timer’ that runs twice per day and auto renews the certs that are about to expire.

Links

ACME spec: https://ietf-wg-acme.github.io/acme/draft-ietf-acme-acme.html

Certbot docs: https://certbot.eff.org/docs/