Let's Encrypt has moved to public beta,
and I've taken advantage of it. Why? Because a non-zero proportion of
the people intercepting your web traffic are bad guys. The less
plain-text traffic is out there, the less they learn.
Because I'm an awkward cuss with slightly unusual requirements,
I've used the lightweight
acme-tiny client. This
requires some fairly standard wrapping round it:
- Generate a key for each server instance (i.e. each distinct web
site);
- Generate a certificate signing request, containing all the site's
names as SANs;
- call acme-tiny itself, which deals with the challenge-response part
of ACME to get the certificate;
- put the certificate in the right place and restart the web server.
Since I'd got that far, I added a further test to see whether the
certificate exists and, if so, whether it's close enough to expiry to
be worth renewing. (Let's Encrypt favours 90-day certificates and
automatic renewal when about 30 days remain, rather than the
long-duration certificates and manual renewal favoured by the paid
approach.) This is all just barely more than trivial, so I might
release the code at some point, but it's all very much set up for my
particular configuration of virtual hosts and probably not much use to
anyone else; you might as well just use one of the more heavyweight
standard clients or write your own wrapper.
While I was at it I set up various guards against protocol downgrade
attacks and such like; the
Qualys SSL Labs test
is very handy for this.
The upshot of this is that this blog, and nearly all the sites I host,
are now accessible via https, and I very much hope will remain so.
(Not quite all, as I hit a rate limit on subdomains for
firedrake.org.)
Comments on this post are now closed. If you have particular grounds for adding a late comment, comment on a more recent post quoting the URL of this one.