Let's Encrypt is a free tool that allows you to create, manage and auto renew SSL certificates for web services, web applications or any sort of applications where secure transportation of data can utilised! This tool will definitely help make a safer internet for all web users.
Unfortunately in the past, purchasing and installing SSL Certificates were previously expensive for small websites and businesses. Some companies may not understand the benefits of this level of security, some may not have the knowledge to do this (unfortunately this tool does not solve this), and some agencies that build websites for clients may not feel there is a budget, but hopefully this tool will turn this around.
Here's a quote from the official web site that really sells this tool to me:
"No validation emails, no complicated configuration editing, no expired certificates breaking your website. And of course, because Let’s Encrypt provides certificates for free, no need to arrange payment."
Is sounds like a win/win situation then doesn't it?
Are there any catches?
Okay, so there are a few catches when using Let's Encrypt compared to the traditional method of purchasing SSL Certificates through another authority.
- The certificate is only valid for 90 days at a time and may be shortened in the future
- Requires a certificate management agent to run on the same server that will serve requests for that domain
- There's no simple install wizard available
That's not to say these are bad points. A certificate that is only valid for 90 days reduces risks of the key being compromised, and I'm sure there are IT buffs out there that love a good ol' challenge without having to deal with progress bars! Though, for those less technical, there are tools being developed to make this process easier. Especially for Microsoft Windows!
Why use SSL Certificates to secure your website?
There are a lot of resources that will explain why you should. But I will sum it up:
- To protected your users from man-in-the-middle attacks!
- To ensure the integrity of the data being posted to your web application
There are a lot of reasons why you should protect your application. Those two points are probably the most important to me. For those not aware, it's getting easier for people to sniff network traffic.
Just see the Pineapple Wifi, it's under $100 and can be used by almost anyone to perform man-in-the-middle attacks. I'll probably blog about this device at some point in the future, it's very interesting and can be used for good purposes, but it is an extremely scary device. Be warned - it will change the way you think forever.
Anyway, onwards and upwards...
Walkthrough setting up Let's Encrypt
I'm not a Linux man, I'm a Microsoft man, so I will be walking you through setting up Let's Encrypt on Windows Server 2012 R2 for IIS 8.5. However, unfortunately for us WIndows folk there is no 'official' client, as the official documentation specifies it requires Unix(ish) OS's that include Python 2.6/2.7.
1. Get the correct tools
To get started, you will need a Let's Encrypt client that speaks the ACME protocol. ACME stands for Automated Certificate Management Environment. The Let's Encrypt client will use this protocol to talk to any Certificate Authority (CA) that supports the ACME Protocol. Under the hood, the ACME protocol is based on JSON over HTTPS.
So first we need to download this Windows ACME Client. I downloaded Version 1.7 compiled zip.
Extract it to a directory on the server where it can live permanently.
2. Install an SSL Certificate for your IIS Bindings
Once you have downloaded and extracted the Windows ACME Client to a directory, run letsencrypt.exe with admin privileges.
First you will be asked for an email address, just in case the renewals fail.
Next, you will be asked to accept the Terms and Conditions. Type 'y' and enter.
Now you will be asked to choose which binding you want to generate the SSL for:
For me, it is www.coderambings.net. So I chose option 1.
At this stage, if it worked, move on to Step 3, otherwise you may have found it closed automatically which means it didn't work. This may be because of the ordering of modules in the IIS website. See the error message below to fix - it's a pretty easy fix.
Once you reordered the modules, run it again. Hopefully now you are ready to move on to step 3.
3. Well... you're done
Now it's best I tell you what has happened.
- You were given a date for when the certificate is out of date, just make a note of this.
- A scheduled task was set up to renew this certificate in 60 days time on this machine.
- The certificate was installed in the Certificate Store.
- A https binding was added to the IIS Website.
Well, I suppose that's literally all you have to do. I'm really impressed with this new approach to Web Application Security. So I recommend everyone to go out and do the same, let's start making the web a safer place!
FYI - this site is running on https using Let's Encrypt!
- Official Documentation https://letsencrypt.readthedocs.org/en/latest/intro.html
- Let's Encrypt unofficial Windows Client https://github.com/Lone-Coder/letsencrypt-win-simple