Let's Encrypt is a certification authority that went live in 2015 and provides free X.509 certificates for use of Transport Layer Security (TLS). This closes a big gap in the use of encrypted web content. Because either the certificates offered by commercial trust centers were only affordable for large companies and organizations, or lacked the support of browser manufacturers at free certification bodies, such as CAcert. Because despite valid certificates CAcert not every browser displayed a trust relationship.
In addition, Let's Encrypt has developed scripts that nearly automate the certification process. So all steps described here are script-based, so that even technically less experienced administrators of a website can create SSL-based websites. Even the registration with the certification authority is omitted.
To automate the certification, Let's Encrypt uses the Automatic Certificate Management Environment (ACME) challenge-response mechanism. Various requests are made either to subpages on the web server or direct DNS queries to the domain to be certified. In both cases, a token previously created by Let's Encrypt is either publicly stored on a special subpage on the web server or as the TXT resource record of the DNS of the respective domain and queried by Let's Encrypt servers in succession. The response with the tokens ensures that the claimant controls the web server or directly the DNS server and its associated domain (domain validation).
By deploying Certbot, an easy-to-use, automated client that retrieves and provides SSL / TLS certificates for Web servers, the certification process is automated to the extent that certificates are generated based on the domains configured on the Web server and the Web server is configured accordingly ,
First, Debian Linux adds the sources.list to the backports. Here's the example of Debian "Stretch" shown.
# echo "deb http:// ftp.debian.org/debian stretch-backports main" >> /etc/apt/sources.list
# apt-get update
Afterwards Apache2 - if not already done - and the Let's Encrypt Certbot will be installed.
# apt-get install apache2 python-certbot-apache
For other systems and web servers, certbot.eff.org offers further installation routines.
The configuration of Let's encrypt is now interactive and very easy to do compared to the first versions
# certbot apache
# systemctl restart apache2
If not all domains are to be recorded in a certificate, then the unwanted domains can be deselected. The certificates for the deselected domains are generated in a second call to certbot.
In the interactive configuration, the client asks if all HTTP requests should be redirected to HTTPS and, if agreed, creates the appropriate configuration below /etc/apache2/sites-available/ with the extension -le-ssl.conf.
If you already have SSL web pages configured to be replaced, you must remove the full SSL virtualhost directives.
For each domain that is created in Apache, the client is run again and the corresponding domain is selected to make it accessible via SSL.
As usual, the certificates are only created for 90 days, then they lose their validity. But the renewal is very easy and can be automated.
# certbot renew --dry-run
generates a dry run by reading in all website configurations to test the Renew functionality. The configuration files are not changed. If successful, the message appears
Congratulations, all renewals succeeded.
# certbot renew
actually generates new certificates. The renewal process can be automated with an entry in the crontab
0 0 * * * /usr/bin/certbot renew -q --post-hook "/usr/sbin/service apache2 restart"
Thus it is checked daily, if certificates have to be renewed and if so, a Renew is carried out. If the expiration date has not yet been reached, the certbot refuses its service. The -q option instructs the client to issue only one response if errors occur in the renew.