Skip to end of metadata
Go to start of metadata

SSL Certificates from Let's Encrypt

Alerts

No Alerts at this time.

E-mail: security@lbl.gov

Let's Encrypt provides free SSL certificates that are trusted by all major browsers. Let's Encrypt validates domain ownership directly with the web server via the ACME protocol.  Web servers typically install a ACME client, such as Certbot to facilitate this process. 

Limitations

Let's Encrypt currently has several limitations that prevent wide spread adoption in the LBNL enviroment. 

  • The maximum lifetime of a certificate is 90-days, so you need to put a process in place to facilitate frequent updating. There are situations in which this is not possible, for example appliances that do not allow OS access or arbitrary code.  Another example, the application environment, such Java/Tomcat need to be restarted to use a new certificate. 
  • The renewal process requires the web server to be accessible to the Internet. There are cases where SSL certificates are in use where Internet accessibility is not desirable.

Recommendations

We currently only recommend Let's Encrypt for limited situations when the web server is on a Linux/UNIX computer using Apache and accessible from the Internet (e.g. Registered Web Servers). Additionally, we recommend the following configuration.

  • Set automatic renewal of certificates every 60 days
  • Use Certbot with Simple HTTPS validation (requires root access)

For all other situations, we continue to recommend SSL Certificates from GoDaddy

Pre-implementation

Before you can setup Let's Encrypt, you must have 80/tcp accessible from the Internet.  You can submit a Web Server Registration to just open 80/tcp for this purpose. This will be a temporary registration to enable Let's Encrypt. The web server must pass a full vulnerability scan before the registration is made permanent. 

Overview of getting a Let's Encrypt certificate

    Using Certbot (on apache/nginx)

    Requirements:

    • Certbot presently only runs on Unix-like OSes
    • Python 2.6 or 2.7
    • root privileges
    • http or https access

    Step 1: Make sure your server is accessible

    • Check firewall configuration
    • Make sure your webserver is listening on port 443
    • Make sure your webserver is accessible from the Internet (e.g. Registered Web Servers)

    Step 2: Download the client

    Go to https://certbot.eff.org/. Select the type of webserver you are running and the operating system it is on. Some systems will have packaged versions of certbot while some will require you to download a script. The two are functionally the same and take the same arguments

    Step 3: Install the package or script

    These will vary slightly depending on the server and operating system. Follow the instructions for your system.

    Step 4: Request a certificate

    For example, on Ubuntu 16 running an apache web server:

    sudo letsencrypt --apache

    First select the host you want to get a certificate for. Then select if your machine will be using HTTP and HTTPS or just HTTPS.

     

    Note: This process searches your apache configurations for hosts. Sometimes hosts aren't found if multiple virtual hosts are defined in the same conf file. The name can be manually entered with the --domains domain.name flag if this occurs.

    Step 5: Automate renewals

    Add the following command as a cron or systemd job:

    letsencrypt renew

     


    Additional details and Alternatives

    Our documentation is just an outline, there is detailed documentation on this process at https://certbot.eff.org/

    There are literally dozens of other ACME clients one could use to perform the domain validation. 

    We continue to follow this technology and as other domain validation methods appear (such as DNS in a way we can automate at LBNL) we will update this documentation.

    There are many hosting providers such as GoDaddy and Dreamhost that support Let's Encrypt. Some even simplify the process through their cPanel. Check with your hosting provider for Let's Encrypt support and the installation process for third-party certificates. There are all also many third-party acme clients to make installation in certain environments easier.

    Feedback

    Feel free to give us feed back. This is a new technology and we are still learning how to best utilize it in at LBNL. If you have questions or comments, contact security@lbl.gov