We know the many reasons why it is good for a web site to be SSL protected (see the padlock in the purple oval at right). Reasons include:
- an eavesdropper cannot see the information flowing back and forth
- Search engines such as Google give higher page rankings
(I have blogged about the importance of SSL protection here and here and here.) Why doesn’t everyone secure every web site with SSL? One reason might be cost. To secure a web site with SSL, it is necessary to obtain an SSL certificate from a Certificate Authority. The company we have traditionally used for obtaining SSL certificates charges $56 per year for a basic SSL certificate.
I was astonished, however, to learn recently that there is a free-of-charge Certificate Authority! Our firm operates quite a few web sites, and I am delighted that we will save some money in recurring costs by using the free-of-charge CA.
It will be recalled that there are various types of web server SSL certificates. The most expensive type of SSL certificate is one in which the CA has independently vetted the identity of the owner. This vetting typically involves checking corporate standing with a Secretary of State and placing a test phone call or two.
A basic SSL certificate, which is what most people use in an SSL-protected web site, does not involve any vetting. The CA carries out a very simple automated check to see if you actually control the domain name of interest, and then issues the SSL certificate in an automated way. This is what we have traditionally paid $56 per year for.
Our legacy approach has been to obtain the basic SSL certificate (not the vetted kind) from the legacy CA, and then to install the certificate in the web server. This requires a dozen or so rather fiddly steps, including:
- remembering that it is time to renew the SSL certificate
- creating a “key pair” (a public cryptographic key and a private cryptographic key)
- creating a Certificate Signing Request which contains the public key
- transmitting the CSR to the CA
- paying money to the CA
- receiving the signed certificate from the CA
- receiving a bundle of intermediate certificates from the CA
- installing the private key and signed certificate and bundle onto the web server
- docketing to remember the next time that the the SSL certificate will need to be renewed
The fuss and bother of this process has traditionally prompted us to purchase SSL certificates with the longest possible term, typically three years, so as to minimize how often we must carry out this process. Such certificates cost a lot of money.
The main point of this blog article is to report that this basic type of SSL certificate can be gotten free of charge nowadays. The free-of-charge Certificate Authority is called Let’s Encrypt.
A typical way to use this free service is to use a web hosting platform which carries out all steps automatically through a protocol called ACME (“Automated Certificate Management Environment”). In our case, we use Synology servers. The Synology server has the ACME client built in. (We really like Synology servers, and I have blogged about them here and here and here.) The server carries out the various steps (generating a key pair, creating the CSR, sending it to the CA, obtaining the signed certificate, loading the various cryptographic files into the web server) automatically. When the certificate nears the end of its term, the server carries out all of these steps again, automatically.
This delightful situation means that we don’t need to carry out the fiddly renewal steps by hand. The server takes care of the renewals automatically.
The certificate lifetime from Let’s Encrypt is a mere 90 days. But that short lifetime is not really a problem, because the renewals happen automatically.
Have you personally carried out the SSL steps described above for your own web site? Have you made use of Let’s Encrypt? Please post a comment below about this.
And now the chance to win a couple of prizes.
Prize number 1. The SSL certificate that protects this blog web site has an expiration date. The first reader to post a comment correctly stating the expiration date of this SSL certificate will win a prize, namely an OPLF digital voltmeter.
Prize number 2. The screen shot at the top of the blog has not only a purple oval around the SSL padlock, but also an orange oval around an icon (the icon is also quoted at right). The first reader who provides the webmaster-geek term for this kind of icon (posting the answer in a comment below) will also win a prize, namely an OPLF voltmeter.
Your certificate expires on Sunday, December 10, 2017 at 5:11:00 PM
🙂
So soon! Got that ACME cron job running?
We have a winner for prize number 1! December 10, 2017 is the right answer. Mike Fitton will receive an OPLF digital voltmeter.
The Synology operating system (a user-friendly GUI on top of Linux) does the ACME task in an automatic way. Yes, I would not be at all surprised if it uses a cron job for this purpose.
I think the doodad inside the orange circle is called a favicon, but that’s a little more outside my usual field.
We have a winner for prize number 2. Yes it’s called a favicon. Mike Fitton wins a second OPLF digital voltmeter!
You can never have too many voltmeters!
Great post Carl. We have been using the free cert for a while now for our private cloud/download system, but not for our public facing website. That may change. I performed the most old fashioned SSL cert install on our web site, the non-free kind of cert, and it was a huge time sink. I asked my IT to respond to your two questions, I understand he just did.
Right, what Rick said, and I’ll elaborate a little. The server he spoke of is handcrafted from the finest FreeBSD grapes. It gives up a bit in manageability (all console and SSH), but more than worth it for the solid reliability and very narrow attack surface. There are a few ACME clients for BSD – we’re using dehydrated. Broad strokes can be found here:
http://www.freebsdrocks.net/index.php/documents/10-installing-applications/154-letsencrypt
It’s also behind a reverse proxy, so there are a few additional steps regarding that in the initial setup. See your local haproxy retailer for program details.
Thank you, Carl!