robotanarchy

social, efficient libre tech & its counterparts

Let's Encrypt TLS Certificate Up and Running!

Saturday, 2015-11-07

Previously this blog simply used a self signed certificate, because I knew that Let’s Encrypt was about to be released later this year. Of course, this means, that every time anyone has visited the blog, that person would see a big scary warning message, that the connection is not trustworthy.

So two days ago, I got a e-mail titled “Let’s Encrypt Closed Beta Invite”, which told me that I may try to obtain my certificate now. That is, because I’ve taken part in the private beta program, that they have launched. If you’d like to join, in the EFF article I’ve linked is a link to some Google Forms (that’s a bit scary from a privacy point of view!) document, where you can type in your e-mail address and the domain(s) you would like to register. I did that a few weeks ago, I think.

I’m not really running a mainstream distribution or webserver and know how to install a certificate myself. So I’ve decided to go with letsencrypt-nosudo from Github. As with the official letsencrypt client, it requires python2. The source code is slightly less than 400 SLOC, so I could read through it before using it.

The only thing I’d like to see improved is a version that doesn’t need python (or any other dependency) at all, so it fits better in sabotage’s philosophy (see minimal bloat section). Someone asked here for a version with CLI-tools only, but was told that this isn’t practical due to JSON Web Signatures, which aren’t implemented in any such tools. However, the protocol is open and maybe some day someone will write a tiny C client, that does the same thing as the python script above (assisting you in getting the certificate, not messing with your configs).

Back to topic. Let’s Encrypt is really awesome and everyone should use it, who doesn’t have a valid certificate yet (or even worse, is hosting their services without TLS)! And the automatic installation and configuration in HTTP daemons is a good thing for most people, because it will really spread the usage of TLS, improving peoples privacy a bit every time.

It works!