I’ve been following Let’s Encrypt for a while, and the idea is as simple as it’s brilliant! Make it so easy to add a encryption to your webserver setup that there’s really no reson not to. Traditionally this has been both a cumbersome and potentially expensive investment. At least for smaller stuff like your average blog or community web site getting a certificate and setting it all up has been a hassle.
So I really like the idea of Let’s Encrypt, and since they’ve just launched their public beta program in time for the renewal of one of my certificates I decided to give it a spin. The process was surprisingly painless.
The base Let’s Encrypt program is already in the FreeBSD ports collection, so installing it was as simple as running:
portmaster -P /usr/ports/security/py-letsencrypt
There was quite a bit of dependencies to be installed, but the ports system takes care of that, and portmaster helps make the process really smooth. A few config options and 10 minutes later everything was built and installed.
Next step was to generate the certificates. After a few misses I found the right invocation:
sudo letsencrypt certonly --webroot \ -w /usr/local/www/my_rails_app_dir/current/public/ \ -d mydomain.com -d www.mydomain.com
Half a minute later I have my certificates in
/usr/local/etc/letsencrypt/live/mydomain.com. I just had to update the apache
config and everything worked right away.
The Let’s Encrypt website warns that you may have to shut down your webserver
while it does it’s job. That was not neccesary in this case. It seems this is
only neccesary if you run with the
--standalone option. The
-w options on the other hand allows you to specify manually where
letsencrypt should put it’s challenge files.
The Let’s Encrypt server then accesses these files using the regular webserver you’re already running. Since this particular domain runs a Ruby on Rails app deployed using Capistrano I ended up with the path above.
I had quite frankly expected that there should be more bumps. For one, this is still a beta, and they do warn that there will be bugs on their website. Further not all software developed for Linux runs equally smooth on FreeBSD, but this time there was no need for worrying.
The plugins for apache and nginx are not yet available in the ports tree however, so I’m running things manually for now.