I was lucky enough to get into the Let's Encrypt Limited Beta. I signed up from the link on their community page and a few days later got the email saying the domains I'd signed up with had been white listed and I could get certificates now.
Just to try it out I ran it using all the defaults without changing anything and it worked pretty well, it created and installed a certificate, it configured Apache to use SSL and just worked. But for production my situation is a bit different because I've been using public key pinning on my servers so I needed to keep the same key pair.
I found that you could use an existing Certificate Signing Request (CSR), so I made a open config and edited it to include my subject alternative names. To setup my certificates I:
- Generated a CSR,
openssl req -out CSR.pem -key www.xo.tc.key -new -sha256 -config /etc/ssl/openssl_san.cnf
- submitted that to let's encrypt
./letsencrypt-auto --csr /home/michael/ssl/CSR.pem certonly --agree-dev-preview --server https://acme-v01.api.letsencrypt.org/directory
I was getting really excited, and then... it didn't work. After a quick search on the community forums I found that the CSR needed to be in DER format so I:
- converted it to DER encoding
openssl req -inform pem -outform der -in CSR.pem -out CSR.der
- submitted that to let's encrypt
./letsencrypt-auto --csr /home/michael/ssl/CSR.der certonly --agree-dev-preview --server
I got an error message
Error: unauthorized :: The client lacks sufficient authorization :: Error creating new cert :: Authorizations for these names not found or expired: xo.tc
I though "this is a Beta so that's to be expected" so I went to the community forums again and spent a bit of time looking around. I found a lot of similar issues where people where getting
The client lacks sufficient authorization but they seemed mostly to relate to issues with domains that had not been white listed yet.
After a bit of guessing and trying different things to see if I could get it to work I found that it an issue with the Certificate Signing Request. I worked out what I was doing wrong, I had the Subject as the root domain
CN=xo.tc and in the Subject Alternative Name I just had the subdomain
DNS:www.xo.tc but you need both names in the Subject Alternative Name section so in my case
DNS:www.xo.tc, DNS:xo.tc. In the past all the CAs I've used have been forgiving of my poorly formatted CSRs so I'd never realised I was doing it wrong.
After I recreated the Certificate Signing Request and ran the commans
openssl req -out CSR.der -outform der -key www.xo.tc.key -new -sha256 -config /etc/ssl/openssl_sans.cnf ./letsencrypt-auto --agree-dev-preview --server https://acme-v01.api.letsencrypt.org/directory auth --csr /home/michael/ssl/CSR.der
And it worked. I then updated my apache config to use the new certificates and I was done.
Despite a couple of small hiccups I think the experience with Let's Encrypt was very good and I'm excited to see it progress. I think the most benefit will not be for crypto geeks like me who actually enjoy playing with SSL but from people who didn't have SSL before so don't need to worry about using an existing key pair or doing anything funky, they can just run
./letsencrypt-auto answer a a few simple questions like "Which domain names do you want to secure?" which was prepopulated with the correct answer anyway and then they are done.
Even better would be if other tools and hosting services integrated with the ACME protocol so encryption is just on by default. This would be great for people who have content and want to create websites or send email without needing to know all the technical details. Web servers like Apache and Nginx could automatically setup TLS. It's not just websites, I can imagine in the not too distant future running through the questions in the setup for Exim or Postfix and one of them being "Do you want Exim to automatically setup and manage certificates?" that that will be it, you just hit "Yes" and you have your SMTP running over StartTLS and/or SMTPS no messing about with Certification Authorities or managing keys.
I'm running a very vanilla Debian install so I'd be a little supprised if it didn't work, but it is in beta. ↩