Let's Encrypt and SSL By Default

Let's Encrypt and SSL By Default

Yesterday marked a turning point for the web. The Let's Encrypt project is now in a public open beta and issuing free SSL certificates to anyone and everyone. Until now running your site over SSL has been a difficult and laborious process that required quite a bit of technical knowledge about how encryption works and also often a real financial cost.

But why is SSL important for your sites? Isn't http good enough? Well the short answer is that if you use software like WordPress to log into your site, you want to be on a secure connection. On a private network like your home there's certainly less risk (though not zero), but what about when you're out and about? You'd be surprised just how easy it is to obtain credentials from websites when connected to the same open wireless network. Years ago the Firesheep browser plugin exposed this in grand fashion, allowing you to run a simple plugin and gain access to the login credentials anyone on that wireless network were entering when the site wasn't secured.

But until now getting a certificate for your site was not a simple process. It requires generating a "Certificate Signing Request" where the site is hosted, purchasing a certificate from a company, then installing and activating that certificate at your host. Private keys are involved and frankly there are many steps in the process where things can go wrong, not to mention the biggest barrier in that certificates are not free.

Let's Encrypt addresses so many of these fundamental issues by attempting to automate that entire process, and with the backing of major corporations and organizations they're doing it completely free with the goal of SSL becoming the defacto standard for the web. And as of yesterday it's now possible for us to take advantage of that.

Sadly cPanel support, which is the primary software that drives our servers at Reclaim Hosting, isn't there yet. However I've kept an eye on this feature request for a long time now and luckily saw today concrete steps we can take as a host to do this for users. Hopefully we can automate this in the future so that we can activate a certificate on every domain a user hosts with us by default automatically.

For cPanel hosts the process is a bit more manual at the moment, you have to clone the Let's Encrypt GitHub Repo to the server, then inside that folder run the following command:

letsencrypt-auto --debug --server https://acme-v01.api.letsencrypt.org/directory --agree-tos -a webroot --webroot-path /home/username/public_html -m USEREMAIL -d USERDOMAIN certonly

You just replace the document root to where the site is hosted and put in the email and domain that should be secured. After a bit of time Let's Encrypt will issue all certificate files necessary to run the site on SSL in the /etc/letsencrypt/live folder. At that point installing the certificate in cPanel requires uploading the certificate at SSL/TLS > Install and Manage SSL for your site (HTTPS) by copying the contents of the cert.pem file into the certificate area there. You'll need to paste the contents of the privkey.pem file into the Private Key area and the chain.pem in the CABUNDLE section. Once that's done it will install and reload and your site is now available over SSL.

Install Screenshot

Obviously one has to have root access to the server right now to do this, but it's manageable which makes me think we could handle it by request right now. The downside is that Let's Encrypt is only issuing 90 day certificates at the moment. Renewing is a single command, but with this manual process the new files would have to be reinstalled at the domain. That could turn into a potential support nightmare. Hopefully though cPanel support for allowing end users to run these tools and automate the installation process are right around the corner and we'll see even more sites take advantage of this amazing service to secure their domains.

Update: cPanel has posted instructions for doing this all by command line in the forums. It even has thoughts on adding a cron job to auto-renew. Nice workaround! https://forums.cpanel.net/threads/how-to-installing-ssl-from-lets-encrypt.513621/