Let's Encrypt First Impressions

About Let's Encrypt

For those new to Let’s Encrypt,  Let’s Encrypt is a free, automated, and open certificate authority (CA) service, which is run for the public’s benefit. The Let’s Encrypt service provided by the Internet Security Research Group (ISRG).

The key principles behind Let’s Encrypt are:

  • Free: Anyone who owns a domain name can use Let’s Encrypt to obtain a trusted certificate at zero cost.
  • Automatic: Software running on a web server can interact with Let’s Encrypt to painlessly obtain a certificate, securely configure it for use, and automatically take care of renewal.
  • Secure: Let’s Encrypt will serve as a platform for advancing TLS security best practices, both on the CA side and by helping site operators properly secure their servers.
  • Transparent: All certificates issued or revoked will be publicly recorded and available for anyone to inspect.
  • Open: The automatic issuance and renewal protocol will be published as an open standard that others can adopt.
  • Cooperative: Much like the underlying Internet protocols themselves, Let’s Encrypt is a joint effort to benefit the community, beyond the control of any one organization.

Installation of Let's Encrypt

On Ubuntu 16.04 the installation of Let's Encrypt is as follows:

chmod a+x ./certbot-auto
./certbot-auto --help

If you are wondering what is certbot, this is the command line tool of Let's Encrypt, which is supposed to automate dealing with the certificates.

Installing the SSL Certificates

./certbot-auto --apache

The above command will show you a small graphic interface, that you can select the domain name the certificate to be issued for. Click OK, and your domain name will have its new and shiny certificate installed.

Issues with Let's Encrypt

On my server I had two domains. One of them had a valid comercial certificate issued by Comodo, and the second was the one I wanted the new Let's Encrypt certificate installed on. Let's encrypt removed the Comodo certificate and replaced it with a Let's Encrypt certificate. This was unexpected, and had to manually restore all the settings for the commercial certificate, which was a pain.