…And SSL For All
Published By Rendahl Weishar on July 7, 2019
What is SSL?
Secure Socket Layer (SSL) is a protocol to send encrypted data over the Internet. In simpler terms, it prevents everyone except the intended receiver from being able to read the message being sent. Back in the early days of the World Wide Web, data security was not a priority. The original hyper text transfer protocol (HTTP: the protocol used to transfer webpages) specified that messages would be transferred in plain text. This was not a problem for research scientists and academic types using the World Wide Web to share research material. However, with the rise of eCommerce and internet banking, the need for security becomes obvious. SSL is designed to plug this massive hole in web security that HTTP left wide open.
SSL, or HTTPS (Hyper Text Transfer Protocol Secure) as it is sometimes referred, works to keep data private by encrypting data during transport to prevent eavesdropping. You may have noticed that most address in your web browsers address bar start with “https://” This means that you are accessing the site using SSL. At the heart of SSL is the certificate. An SSL certificate serves a couple essential functions. It facilitates the cryptographic key necessary for encryption and acts to verify the credentials of the site it has been issued to. You can think of it kinda like an ID card. The state issues you a card and is considered an authority on your identity. On the Internet, the entities responsible for issuing SSL certificates, or certs as they are called, is a Certificate Authority.
Traditionally, certs have been issued by various CAs for a price. They are often issued with charges for terms and with domain restrictions. Historically, going with a paid SSL cert was basically your only choice. You can always create a self signed cert–which works fine for internal needs–however, when public users visit your site, the certificate will not appear to be valid. Who validates a cert? Every browser ships with a CA list it uses to compare a site’s cert with to ensure legitimacy. If the site’s cert is valid with one of the CAs, you will often see a lock icon in the address bar, if it fails, the browser will show a warning and often require you to acknowledge the risk and proceed. Those were the old days. Now, things have changed!
Let’s Encrypt to the Rescue!
Let’s Encrypt has been created to fill the void of a free certificate authority for all! Simply put, Let’s Encrypt provides free SSL certificates to anyone who wants one! That’s right, gone are the days of paying ridiculous annual fees for essentially a number attached to some contact information. The obvious question is: are Let’s Encrypt’s SSL certs valid? Yes! They will pass validation just like any other cert. For all the details of how Let’s Encrypt works, see here.
Administration, Certbot rules
Let’s Encrypt’s certs are valid for 90 days at a time by design. Renewing your cert is exceptionally easy, however. How do you get at all this awesomeness? I slick little utility create called Certbot. Let’s see how it works
Create new cert
$ certbot –nginx -d “yourdomain.com” -d “www.yourdomain.com”
This will create a cert for both yourdomain.com and www.yourdomain.com, and will create the correct entry in your nginx config.
$ certbot renew
This will renew all certs created with certbot. If the cert is not due for renewal, it will be automatically skipped. I suggest running this command once a month to ensure all certs stay up-to-date.
There you have it. SSL for free. For all.
Let’s Encrypt provides all of their servers free of charge, please consider donating a small amount. I did 🙂