Skip to end of metadata
Go to start of metadata
SSL Certificates from Let's Encrypt
Let's Encrypt provides free SSL certificates that are trusted by all major browsers. Let's Encrypt validates domain ownership directly with the web server via the ACME protocol. Web servers typically install a ACME client, such as Certbot to facilitate this process.
Let's Encrypt currently has several limitations that prevent wide spread adoption in the LBNL enviroment.
- The maximum lifetime of a certificate is 90-days, so you need to put a process in place to facilitate frequent updating. There are situations in which this is not possible, for example appliances that do not allow OS access or arbitrary code. Another example, the application environment, such Java/Tomcat need to be restarted to use a new certificate.
- The renewal process requires the web server to be accessible to the Internet. There are cases where SSL certificates are in use where Internet accessibility is not desirable.
We currently only recommend Let's Encrypt for limited situations when the web server is on a Linux/UNIX computer using Apache and accessible from the Internet (e.g. Registered Web Servers). Additionally, we recommend the following configuration.
- Set automatic renewal of certificates every 60 days
- Use Certbot with Simple HTTPS validation (requires root access)
For all other situations, we continue to recommend SSL Certificates from GoDaddy
Before you can setup Let's Encrypt, you must have 80/tcp accessible from the Internet. You can submit a Web Server Registration to just open 80/tcp for this purpose. This will be a temporary registration to enable Let's Encrypt. The web server must pass a full vulnerability scan before the registration is made permanent.
Overview of getting a Let's Encrypt certificate
Using Certbot (on apache/nginx)
- Certbot presently only runs on Unix-like OSes
- Python 2.6 or 2.7
- root privileges
- http or https access
Step 1: Make sure your server is accessible
- Check firewall configuration
- Make sure your webserver is listening on port 443
- Make sure your webserver is accessible from the Internet (e.g. Registered Web Servers)
Step 2: Download the client
Go to https://certbot.eff.org/. Select the type of webserver you are running and the operating system it is on. Some systems will have packaged versions of certbot while some will require you to download a script. The two are functionally the same and take the same arguments
Step 3: Install the package or script
These will vary slightly depending on the server and operating system. Follow the instructions for your system.
Step 4: Request a certificate
For example, on Ubuntu 16 running an apache web server:
sudo letsencrypt --apache
First select the host you want to get a certificate for. Then select if your machine will be using HTTP and HTTPS or just HTTPS.
Note: This process searches your apache configurations for hosts. Sometimes hosts aren't found if multiple virtual hosts are defined in the same conf file. The name can be manually entered with the --domains domain.name flag if this occurs.
Step 5: Automate renewals
Add the following command as a cron or systemd job:
Additional details and Alternatives
Our documentation is just an outline, there is detailed documentation on this process at https://certbot.eff.org/
There are literally dozens of other ACME clients one could use to perform the domain validation.
We continue to follow this technology and as other domain validation methods appear (such as DNS in a way we can automate at LBNL) we will update this documentation.
There are many hosting providers such as GoDaddy and Dreamhost that support Let's Encrypt. Some even simplify the process through their cPanel. Check with your hosting provider for Let's Encrypt support and the installation process for third-party certificates. There are all also many third-party acme clients to make installation in certain environments easier.
Feel free to give us feed back. This is a new technology and we are still learning how to best utilize it in at LBNL. If you have questions or comments, contact firstname.lastname@example.org