Yesterday I was working on some organic content generation software and needed to spin up a test website.

Easy enough. I provisioned a t2.micro instance on AWS EC2 and installed Apache using Yum. After doing some basic hardening (see: Why is Apache Vulnerable by Default?) I was ready to install a TLS certificate and make the whole site https-by-default.

My hand was hovering over the “Buy Now” button on NameCheap.com with a Comodo nine-dollar-special in the cart when something pinged in the back of my mind: why not finally try Let’s Encrypt instead?

Let’s Encrypt the Web

Let’s Encrypt is a certificate authority with an easy to understand mandate: make the web secure by providing free X.509 certificates for Transport Layer Security (TLS).

I had heard about the project back in 2015, but initially dismissed it because, by nature, it wouldn’t have green-bar support for organization-level verification and at the time my portfolio of clients were all national brands.

Obviously I missed the point.

Brushing Aside Assumptions

Free sounds good, though I had a few initial assumptions/preconceptions about Let’s Encrypt.

Amongst them being that because they were “just” a free certificate authority it would probably be more of a hassle to be issued a certificate “their way” than just buying one from a commercial vendor.

Having resolved to look into it, however, I visited their website https://letsencrypt.org/ and was immediately greeted with a very friendly “Get Started” button.

That’s pretty straightforward.

Getting Started

Clicking that, I got… a wall-of-text.

“Meh,” I thought, now certain that the process was indeed going to be convoluted and time-consuming. My hand twitched the mouse cursor back towards the shopping cart tab but thankfully my eye was faster and saw the link for “CertBot.”

CertBot. That sounds automated.

*click*

You Had Me at Hello

Suddenly the Let’s Encrypt project was cast into an entirely new light: here was a platform and mission that also looked like it had a killer app.

Looking through the Software list I chose Apache, which I had already installed.

Looking through the System list I chose “Other UNIX” since the Amazon AMI wasn’t listed and there are enough differences from CentOS/RHEL7 I figured it would require a more generic approach.

CLI but as basic as can be

How Easy Was That?

Following the directions above popped up a convenient shell interface for specifying which domains I wanted to list in the SSL certificate.

Once I input the domain name it automatically contacted the certificate authority, verified my DNS records (I had already created A records and pointed them to the server’s IP), and prompted me to accept changes to my default /conf.d/ssl.conf file: it automatically inferred my virtual host settings.

I restarted Apache and the cert was live and I had a nice green lock next to the domain name. Wow.

Some Thoughts

Let’s Encrypt has a powerful mission and a killer app thanks to the Electronic Frontier Foundation. Kudos to the Internet Security Research Group for changing the way I’ll approach TLS certificate deployments in a very productive way.

The biggest caveat is that the certificates only last for 90 days. On the other hand, a simple cron-job can automatically renew them using CertBot, so there’s no problem there:

Fire and forget

Overall, compared to any other domain-level verification method I’ve used this was so easy and so fast I can’t imagine doing it any other way now.

About the only “weird thing” is CertBot’s webpage icon — his truncated form looks like the Grim Reaper!

My chief complaint, if there’s anything worth complaining about, is the one part of the initial user experience/user education which falls down: that wall-of-text in the Getting Started section could just as easily be a quick set of buttons or dropdowns that lead the user to the right decision (in my case, using CertBot) with an option to read the full blurb if they want to.

Will it hurt anyone to leave the longer explanation up? Of course not, technical people read stuff like that all the time, but Let’s Encrypt makes everything else so easy why not ease this choke point a bit?

Oh, and adding the Amazon AMI for EC2 to the Systems list would be a nice bonus!