LetsEncrypt: The Free HTTPS Certificate Generator [product overview]
LetsEncrypt is a free way to set up your websites to use HTTPS, or Hypertext Transfer Protocol Secure. In this article, we will explore the benefits of doing so and how to accomplish it using LetsEncrypt.
LetsEncrypt and HTTPS
Before getting into the specifics of using LetsEncrypt, it’s important to make sure that everyone is on the same page. In this section, we’ll discuss HTTPS, LetsEncrypt and why using HTTPS is important for website owners.
What Is HTTPS?
When you visit a website, you have two options: HTTP and HTTPS. Both of these options offer the same functionality of providing Web-based content to you, but HTTPS offers a bit more in terms of security.
The first differentiator between HTTP and HTTPS is that traffic in HTTPS is encrypted. While an eavesdropper can see the site that you visited, they can’t see any of the data that you send to/from that site. This provides a huge increase in privacy over HTTP, where all information is transmitted in the clear.
The other main advantage of HTTPS is authentication. Anyone can set up a website and may even be able to trick DNS servers (the ones who convert the URL that you type into the website’s IP address) into thinking that they’re the real thing.
HTTPS makes this harder by requiring a website to have a valid SSL certificate. Your computer trusts a set of root Certificate Authorities and will trust any certificate signed by a trusted root CA either directly or indirectly (through a chain of CAs where each CA is authenticated by the previous one in the chain). If you visit a website with a valid SSL certificate, it’s more likely to be the real thing.
What Is LetsEncrypt?
LetsEncrypt is a root Certificate Authority that tries to make it fast and easy for an organization or individual to generate valid SSL certificates for their websites. If a user can prove ownership of a website, LetsEncrypt will allow them to generate a valid certificate for free that are valid for 90 days.
When a certificate nears expiration, LetsEncrypt makes it easy to renew manually or automatically. This benefits both website owners and visitors by providing authentication and encryption for Web traffic.
Why Does My Site Need HTTPS?
The reasons for supporting HTTPS on your website vary based on the type of content provided; however, the simplest reason is user trust. Anti-phishing training has conditioned users to look for the padlock in the address bar, and this is only available with an HTTPS-enabled site.
If your website processes personal information, the use of HTTPS may be mandated under data privacy regulations. User personal information must be protected both at rest and in transit, meaning that any website that collects email addresses (for authentication), phone numbers, credit card information and so on must use encryption, which HTTPS provides and HTTP does not.
Getting Started with LetsEncrypt
LetsEncrypt is designed to make setting up HTTPS fast and free for website owners. In this section, we’ll discuss how to set up LetsEncrypt for the first time and how to configure it to auto-renew certificates.
Setting Up LetsEncrypt
Requesting and installing LetsEncrypt certificates is designed to be fast and easy for users. LetsEncrypt offers two main methods for installation, depending on whether you have shell access to your website. If you use SSH to access your website, you have shell access, but if you commonly use a control panel (cPanel, Plesk, Wordpress and so on) for website management, you probably don’t.
With shell access, you can set up a LetsEncrypt certificate completely on your own using the Certbot ACME client. To use this, visit https://certbot.eff.org/ and follow the instructions provided. A huge advantage of this approach is the ability to automatically renew LetsEncrypt certificates when the 90-day deadline is approaching.
Without shell access, you need to rely on your hosting provider to set up your website with HTTPS. LetsEncrypt provides a list of supported hosting providers, who can provide instructions for setting up your site with a LetsEncrypt certificate.
Renewing LetsEncrypt Certificates
The fact that LetsEncrypt certificates are only valid for 90 days can make certificate management a hassle. However, it is possible to set up a site to automatically renew LetsEncrypt certificates to ensure continuous support. This technique requires shell access to the site and uses the Certbot tool from the previous section.
Setting up LetsEncrypt auto-renew assumes that Certbot is installed on the webserver. If this is true, follow these five steps:
- Find the certbot-auto package in the home directory of your website
- Go to home directory: cd ~
- Find the package: ls
- If the package is not there, run the following:
- Move the package to the letsencrypt directory: sudo mv certbot-auto /etc/letsencrypt
- Open crontab: sudo crontab -e
- Add the following to the end of crontab:
- This assumes that your webserver runs apache. If not, modify the last command to restart your webserver
At this point, your autorenew should be completely set up. To test with Apache, use the following commands:
sudo -i cd /etc/letsencrypt/ && ./certbot-auto renew --dry-run && /etc/init.d/apache2 restart
If you’re not using Apache, modify the final command similarly to step 4. If everything checks out, your LetsEncrypt certificates are set up and configured to renew automatically.
Enabling HTTPS with LetsEncrypt
The goal of LetsEncrypt is to make the transition from HTTP to HTTPS as painless as possible for website owners. As users are trained to only trust HTTPS-enabled sites and privacy regulations increase, the need to deploy HTTPS on your websites is growing.
Sources
FAQ, LetsEncrypt
Getting Started, LetsEncrypt
FREE role-guided training plans
How to Setup Auto-Renew for Let’s Encrypt SSL Certificates (Apache), One Page Zen
In this Series
- LetsEncrypt: The Free HTTPS Certificate Generator [product overview]
- Free Valentine's Day cybersecurity cards: Keep your love secure!
- How to design effective cybersecurity policies
- What is attack surface management and how it makes the enterprise more secure
- Is a cybersecurity boot camp worth it?
- The aftermath: An analysis of recent security breaches
- Understanding cybersecurity breaches: Types, common causes and potential risks
- Breaking the Silo: Integrating Email Security with XDR
- What is Security Service Edge (SSE)?
- Cybersecurity in Biden’s era
- Password security: Using Active Directory password policy
- Inside a DDoS attack against a bank: What happened and how it was stopped
- Inside Capital One’s game-changing breach: What happened and key lessons
- A DevSecOps process for ransomware prevention
- What is Digital Risk Protection (DRP)?
- How to choose and harden your VPN: Best practices from NSA & CISA
- Will immersive technology evolve or solve cybercrime?
- Twitch and YouTube abuse: How to stop online harassment
- Can your personality indicate how you’ll react to a cyberthreat?
- The 5 biggest cryptocurrency heists of all time
- Pay GDPR? No thanks, we’d rather pay cybercriminals
- Customer data protection: A comprehensive cybersecurity guide for companies
- Online certification opportunities: 4 vendors who offer online certification exams [updated 2021]
- FLoC delayed: what does this mean for security and privacy?
- Stolen company credentials used within hours, study says
- Don’t use CAPTCHA? Here are 9 CAPTCHA alternatives
- 10 ways to build a cybersecurity team that sticks
- Verizon DBIR 2021 summary: 7 things you should know
- 2021 cybersecurity executive order: Everything you need to know
- Kali Linux: Top 5 tools for stress testing
- Android security: 7 tips and tricks to secure you and your workforce [updated 2021]
- Mobile emulator farms: What are they and how they work
- 3 tracking technologies and their impact on privacy
- In-game currency & money laundering schemes: Fortnite, World of Warcraft & more
- Quantitative risk analysis [updated 2021]
- Understanding DNS sinkholes - A weapon against malware [updated 2021]
- Python for network penetration testing: An overview
- Python for exploit development: Common vulnerabilities and exploits
- Python for exploit development: All about buffer overflows
- Python language basics: understanding exception handling
- Python for pentesting: Programming, exploits and attacks
- Increasing security by hardening the CI/CD build infrastructure
- Pros and cons of public vs internal container image repositories
- CI/CD container security considerations
- Vulnerability scanning inside and outside the container
- How Docker primitives secure container environments
- Top 4 Zapier security risks
- Common container misconfigurations and how to prevent them
- Building container images using Dockerfile best practices
- Securing containers using Docker isolation
- Introduction to container security
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
General security
Free Valentine's Day cybersecurity cards: Keep your love secure!
General security
General security