Let’s Encrypt SSL certificates on FreeBSD

18, Nov, 2015

To quote the Let’s Encrypt about page:

“Let’s Encrypt is a free, automated, and open certificate authority (CA), run for the public’s benefit. Let’s Encrypt is a service provided by the Internet Security Research Group (ISRG).”

The nutshell of what they are doing is creating free SSL certificates that are automatically recognized in all major browsers and automatically renewed. They are currently using 90 day expiration (with the dicussion of possibly dropping to 60 day) with renewals at 60 days to give you 30 day window to get it renewed. One of the bigger issue with long renewals is that most clients never check if a certificate is revoked or not. They’ll just assume it’s good if it’s not expired. A revoked certificate would not get renewed and would throw errors on the client much quicker with short renewals.

One place that automatic renewing certificates could be a potential issue is on external SSL services like SSL accelerators, Web Application Firewalls (WAF), etc. because they have the certificates loaded directly on them to inspect traffic before sending it on the webserver or other SSL endpoint. You’ll often see EV certificates on these appliances and Let’s Encrypt isn’t doing Extended Validation certificates. So it’s not huge issue but it would be nice to see the vendors adopt Let’s Encrypt support for the people not using EV certs on their appliances/services.

Getting started:

It’s currently in a limited beta so the first thing you need to do is to fill in the Sign up form to request your domain(s) and any subdomains since they need to be specified in the request and an email address to be used for your account. Then wait for the confirmation email. I submitted on a Thursday afternoon and got the acceptance email on Monday afternoon so be patient. It goes into open beta December 3rd so this will change some.

There’s a few different clients to get your certificates and I checked into which ones might work best on my FreeBSD webserver. In the end, I used the default client from Github and it works great on FreeBSD. Props to everyone that got the kinks worked out already.

The client listens on the port so you have to temporarily stop your webserver for it to answer. The first -d is the domain that will be signed to the certificate. More -d are for SAN names. You can make one certificate with all of your domain/subdomains or make individual certificates for each domain (plus at least www.domain.com). I prefer to make one cert plus all subdomains for better compatibility (some clients have issues if your domain is only a SAN and not directly signed).

sudo ./letsencrypt-auto certonly -a standalone -d domain.com -d www.domain.com -d mail.domain.com –server https://acme-v01.api.letsencrypt.org/directory –agree-dev-preview –debug (the –debug is required for FreeBSD, not other OSes)

This creates /etc/letsencrypt/live/domain.com/ directory with cert.pem, chain.pem, fullchain.pem, privkey.pem. Fullchain.pem is the cert and chain file in one file for services that don’t have a seperate chain command (some imap, pop3, smtp, etc.) or if you want to keep it simple on your webserver. This directory also contains your account info, CSR, private key for generating the certs, etc. It’s root only access but you should make a backup of it so you don’t have to start over later.

Start the webserver back up once you’ve created all the certificates that you want.

Point your vhost(s) to the /etc/letsencrypt/live/domain.com/cert.pem (and chain.pem, fullchain.pem, privkey.pem) so when you renew the certificate(s) in 60 days, it will automatically be pointing at the updated files. I’ve written a script to stop the webserver, re-run the scripts, restart the webserver, and email me (to make sure it went fine). I’ve added it to run every other month in my crontab. (I’m not running the job at the top of the hour like a good sysadmin should do when polling a service likely to be hit by many clients.)

Here you can see I’m running TLS 1.2 with High ciphers

My domain as the CN and you can see it’s signed by Let’s Encrypt

SSL Labs scanner gives my current setup an A. I’ve looked at what it take to get an A+ and it can break some clients so I’ll check it out before I decide what changes to do next.

I set my http vhost to automatically redirect to https. If you are running Flatpress like I am here, you’ll need to edit the defaults.php in the root of your install. Change the BLOG_BASEURL from http:// to https:// and you won’t have to worry about it sending mixed content and not loading half the page. ;-)