Legally able to provide users with SSL/TLS certificates, they join
the roster of other providers including Comodo, Symantec and Verisign.
The point is to make encryption accessible for *all* site owners,
allowing anyone to have HTTPS at NO extra cost…
As you may be aware, Google recently updated Chrome to label any “non HTTPS” sites as “non secure”, with the other providers following suit.
Whilst HTTPS does nothing to parlay these fears from a technical perspective, its facilitation of encryption for web traffic certainly gives users psychological assurance as to the veracity of their digital services.
Thus, if you’re looking at running a blog, eCommerce store, web application or even just an API-driven service, you will need to be sure that you have HTTPS fully set up — with at least the most basic certificate lined up for your domain(s)…
💻 What Is SSL/TLS/HTTPS? 💻
Regardless of “what” you do online, the fact remains that 99% of the process is handled by HTTP — Hyper Text Transfer Protocol. HTTP was designed in the 1989/1990 by Tim Berners-Lee to provide public accessibility for various resources through the Internet…
Whilst most people conflate the Internet + “web”, the two are slightly different; the former being the means through which computer systems connect globally (via TCP/IP), the latter being a protocol through which you’re able to attain public access to aforementioned computer systems.
In a nutshell, HTTP sits at the core of the “web”, and what most people end up using when they say they’ve used “the Internet”. With the help of HTTP server software, it opens port 80 to public traffic — allowing you to gain HTML responses for accessing particular “URL’s” (Uniform Resource Locators).
A good example of how this works comes in the form of the DNS system - designed to provide “easy-to-remember” ways to access web-centric resources.twiki
The point here is that HTTP/HTTPS might not seem like a big deal. It is.
The process for using HTTPS is simply that it’s providing an “encrypted” way to access HTTP resources. SSL/TLS certificates are public/private key pairs designed to create said encryption properly…
📁 Types of SSL/TLS Certificate
SSL/TLS certificates have been big business for a while.
Whilst popular, most people don’t realize that 99% of the technology used in them is *EXACTLY* the same → only difference lying in the level of “validation” provided with each type…
Like “code signing” of old, SSL/TLS certificates are provided under the premise of organizational validation. The most notable result of this is the green “EV” (extended validation) bar which appears if you have the highest level of certificate:
The level of validation you received as a business is what determines which type of certificate you receive. Obviously, the higher the validation, the higher the cost and implied security of your service.
There are 3️⃣ “levels” of validation for SSL/TLS certificates:
- ✔️ Domain (DV) (cheapest) → Checks used to check whether the applicant is indeed the owner/manager of the domain they’re trying to obtain a certificate for. This will include the likes of DNS level & HTTP/HTML file upload checks…
- 💼 Organizational (OV) (mid range) → Checks used against the organization applying for a certificate. This can include everything from company registration papers to a live website for your organization...
- 🛡️ Extended (EV) (most expensive) → Checks against the legal entity of the applicant — from the likes of organization records to actual human verification (either by phone or email). This is the most extensive, expensive and sought-after certificate, namely because of the “SSL Green Bar” it provides…
Whilst this doesn’t really matter to someone who “just wants to get SSL”, it’s important to consider for anyone looking for different types of security.
In other words, if you’re looking to spend the $70+ on EV SSL certificates, you may just be better with a standard LetsEncrypt certificate, or even an organization validated one.
- *ALL* SSL certificates are the same. The technology they employ is the same. The way they work is the same. The ONLY difference lies in how deep the “validation” of the provider went in the issuance process…
If you’re interested in a nice synopsis about which level of certificate would be appropriate to you, there’s a great write-up from what many consider to be the leader in online SSL/TLS certificate issuance (everyone from Facebook to Salesforce uses them) → DigiCert…
📦 Why LetsEncrypt?
As mentioned, SSL/TLS certificates are ALL the same (technologically) —
the big difference lies in how the certificate authority managed the validation process. Ironically, Symantec was recently “blacklisted” by Google and Firefox for not adhering to its obligations in this regard:
Regardless of how much validation your organization went through to secure a certificate, they all “work” in exactly the same way → public/private keys through which HTTP data is encrypted:
Thus, to be sure about what you’re doing, you need to ensure that you understand *exactly* which types of SSL/TLS certificates exist, and what they’re able to do for users…
Whilst this *DOESN’T* reflect on the quality of the certificate, it does limit the level of authentication your users can associate with your domain(s).
In other words, you can NEVER get the “green SSL bar” with Let’sEncrypt, only a simple domain-level certificate which provides HTTPS functionality.
➡️ How It Works
The service was introduced to provide people with a FREE way to gain SSL/TLS protection for their web services.
The aim was to give people “no excuses” in obtaining the encryption security provided by HTTPs, protecting users and providers alike:
Whilst this sounds great, there are certain stipulations to be aware of…
- 📲 LetsEncrypt can ONLY offer domain-validated SSL/TLS certificates
- 📆 LetsEncrypt certificates are ONLY be valid for 90-day periods
Since offering SSL/TLS certificates for free would undercut what is a highly lucrative market, LetsEncrypt.org can *ONLY* issue certificates for 90-day stretches (need to renew every 3 months) → commercial certificates are typically valid for at least 1 year (depending on their duration).
If you have a website and want to reassure visitors, Google and your payment providers → you may benefit from using the LetsEncrypt.org service:
Ultimately, if you’re looking at running *ANY* web based service, you need to secure it with SSL/TLS. If you don’t want to spend on a domain-validated certificate, then LetsEncrypt is definitely something to look at…
Setting up a LetsEncrypt certificate works in — almost — exactly the same way as with the “paid” certificate authorities.
The main difference lies in how the certificate is generated…
Each time you obtain *ANY* SSL certificate (we’ve bought hundreds), the issuing authority has to check against various validation criteria it’s required to perform. This is dependent on the “level” of certificate you purchased.
Once this check has been done, you’re then in a position to start generating the certificate files. This is where the process changes, depending on whether you’re using the automated “Certbot” or a manual method (for paid certs).
At this point, you’ll need to create a CSR (explained below), and then your issuer will give you access to the files you require.
As mentioned, the method through which you obtain the certificates is somewhat irrelevant; the most important thing is that you obtain the files correctly, and then are able to get them recognized by your web hosting software. The ease of this process will depend on the type of hosting you have.
The process works as follows:
- 🔒 Purchase certificate
(in the case of LetsEncrypt, you initiate the creation for Free)
- ☎️ Validate credentials
(domain, organizational or extended validation)
- ⌚ Generate a CSR (Certificate Signing Request)
This is done server-side and is designed to ensure data integrity
- ☑️ Let The Issuer Confirm The Certificate
This may take some time depending on the type of cert you need
- 📥 Download & Install The Certificate Files On Your Host
You’ll be given several files which you need to upload to get it working
This might seem complicated but is very simple → the key is that you’re basically ensuring that your WEB SERVER (Apache/Nginx) is able to handle HTTPS traffic. This can only happen by using valid certificates.
Most people don’t understand how the HTTPS process should work (you’re basically opening both ports
443 on the server — most then redirect port
80 traffic to the encrypted
In terms of LetsEncrypt, many of the above steps can be negated.
You don’t need a CSR and since all their certs are domain-validated, if you’re using
certbot, this will be handled during the issuance of the certificate.
To best explain the process, we’ll detail the TWO ways you can deploy/use LetsEncrypt → 🎌 Manually (download files) or 🚩 Automatically (certbot).
Whilst we use Certbot, there may be situations whence this is infeasible / impossible. In this regard, you’ll need to use the manual method…
This works for LetsEncrypt (SSLForFree.com) as it does for “private” vendors.
Whilst the process may differ, it has the same underlying result (you are provided with a set of certificate files which you need to upload to your host).
What’s outlined below is what to expect from this process → there are instances where you cannot simply generate a LetsEncrypt cert automatically, (will need to download the corresponding files). With a process almost the same as “paid” certificates, the way to get them working is the same…
🔒 Buy certificate from seller
This is done by making a transaction with any of the certificate authorities you want to deal with. Don’t use Symantec; we’ve used Namecheap before (who just resell Comodo). If you’re using LetsEncrypt, this is where SSLForFree.com comes in (they give you the cert files to download, rather than just putting them onto your system automatically):
[[ image ]]
The purchase process changes depending on who you’re buying the certificate from. Most sellers provide you with detailed instructions of how to provide the right validation details etc to complete the sale.
☎️ Validate details
As mentioned, if you’re using the likes of LetsEncrypt/SSLForFree.com, or another domain-validated verification, you’ll only need to provide proof that you own/manage the domain in question. For other certificate-types, you’ll be required to provide documentation proving your legal status as a business etc:
[[ image ]]
Obviously, this depends on which service you use to obtain your certificate, and which level of certificate validation you end up buying.
Since LetsEncrypt is domain-validation only, you only need to validate the domain by uploading the required HTML file to your host (to
⌚ Use CSR to generate public/private keys
(*NOT* Required For LetsEncrypt) → CSR is a means to privately encrypt your keys so that they will not be hacked etc (think of it like a password).
I’ve not read into it enough to provide an adequate description… the bottom-line is that most companies will tell you to use your own server/hosting to generate it → it’s *MUCH* easier to use this hosted solution from Namecheap:
[[ image ]]
Some certificate vendors will require a CSR before they are prepared to confirm the order. In any case, it will be worth getting to grips with the process; if you need any support on how it works — most SSL providers will have a “live chat” support service available.
☑️ Download issued certificate files (will need to be converted)
Once you’ve provided the CSR info, and it’s confirmed against your application details, you’ll be able to download the issued certificate files:
[[ image ]]
These will typically be delivered as
.crt files, which need to be combined into a single
.pem file. This will allow the various web server systems to recognize and utilize the certificates during the connection process.
📥 Upload to host + configure web server to use them
This then allows you to upload the newly created
.pem files to your host.
This process is dependent on which host you’re using, what their provisions are for SSL, and which CA you obtained a certificate from.
[[ image ]]
As mentioned, this works depending on the level of
There are two ways to ensure this will all work properly…
- Redirect *ALL* port
80(HTTP) traffic to port
- Allow both port
80(HTTP) + port
443(HTTPS) traffic to hit the server
Whilst it’s up to you how to make it work, the bottom-line is that it is *STRONGLY* recommended you pick the HTTPS redirect option…
I’ll explain how to do this more specifically after the next point ↴
🚩 Automated (Certbot / Wordpress etc)
If you *ONLY* want to use LetsEncrypt, you’re able to use the “certbot” service to automatically obtain and renew your certificates.
Certbot is a command-line (CLI) application designed to simultaneously validate and generate certificates for your various domains as required.
The benefit of Certbot (and there are several plugins on Wordpress which automate the process, too) is that they provide the domain owner with a simple, effective way to manage the certificate generation & renewal process — it also makes it hosting-agnostic (not dependent on cPanel etc).
Because the certificates are stored as files on your web server, and are then referenced by your HTTP server software, there are a number of ways to obtain them automatically. The following steps explain how…
🐧 Linux (Certbot)
The standard process for getting a LetsEncrypt certificate created on Linux is to use
certbot. This is a software tool designed to automate the process of creating & using LetsEncrypt certificates.
Whilst simple to use, it takes a bit of setting up. The system works by interfacing with the LetsEncrypt servers (to obtain the certificates), as well as validating the domain you are trying to encrypt.
Certbot has a number of patterns which we can take advantage of:
- Unless otherwise specified, certificate files are stored in
- *ALL* HTTP-based domain validations are sent to the HTTP version of your site (
http://www.site.com/.well-known/acme-challenge/[random]). This is important as this path has to be accessible (we have a trick for this).
.well-knowntest depends on a “site root” → one of the biggest tricks we discovered is that you can make a “single” root in your hosting to ensure that this folder is completely accessible regardless of which domain you use it for. For example, rather than
~/domain.com/.well-known, you use
/etc/letsencrypt/.well-known(more explained below).
With these in mind, the process for using Certbot is relatively simple…
$ sudo apt-get update
$ sudo apt-get install software-properties-common
$ sudo add-apt-repository ppa:certbot/certbot
$ sudo apt-get update
$ sudo apt-get install python-certbot-nginx
It’s strongly recommended you use the certbot website to identify the best installation steps for your version of Linux:
This is our own way to
.well-known/acme-challenge to hosting “locations”
This is the part most people have no idea about.
In order to create a simple way to manage “any” domain on a particular server, rather than creating many different
well-known folders, only create one. You then set a “location” for it in your various virtual hosts:
4️⃣ Generate SSL certificate from LetsEncrypt
There are two types of SSL certificate you can obtain from LetsEncrypt:
sudo certbot certonly --webroot -w /etc/letsencrypt -d flcleaner.com -d www.flcleaner.com
- Wildcard (requires DNS authentication)
cPanel-powered hosting allows users to run a variety of plugins to optimize their service. One of these is the “LetsEncrypt” or “AutoSSL” plugin:
Whilst only appearing on certain hosting providers (it requires installation in the “WHM” (Web Host Manager) backend element of cPanel to get it working), it gives users the ability to obtain, renew and manage the SSL certificates for their various domains.
As mentioned, the SSL process occurs at the HTTP layer (not DNS), meaning that everything you do has to tie into your web server software. cPanel helps you do this with a simple & straightforward plugin (good resource):
Some hosting companies do not support LetsEncrypt out of the box.
Apart from technical reasons, it may be the case that they have a commercial relationship with one of the incumbent certificate authorities. As such, if you’re looking at using the likes of LetsEncrypt on Namecheap, you’ll not be able to use its cPanel plugin out of the box.
You have several options...
- 1️⃣ Manually upload a certificate from SSLForFree.com — this will give you the ability to provide the bare certificate files to the host’s cPanel — which should provide valid SSL validation.
- 2️⃣ Use the likes of your CMS or another tool in the “application” layer to manage the certificate. This includes the likes of Wordpress.
The way to get LetsEncrypt working on Namecheap specifically is by using the
Wordpress (as ever) has its own solutions…
Unfortunately, many of these are not as sound as previously thought.
⚠️ Worth It?⚠️
The big problem SSL certificates solve (from a marketing perspective) is
lack of transparency…
It’s so *easy* to fake things, over-inflate results and generally display a false image of something online, that initiatives are being put forward to cultivate as much accountability as there is in the “real” world.
All of the furor about Facebook’s privacy scandal, GDPR and the other data-based problems are a result of people being very easy with their data, and not holding the various “web” centric service providers to account.
Regardless of this, SSL/TLS certificates, and the attributed HTTPS protocol, ensure that anything you do online will at least have some level of protection.
Remember → *ALL* SSL/TLS certificates are the same…
The difference lies in the veracity of the certificate authority. LetsEncrypt/SSLForFree.com can *ONLY* provide domain-level validation.
In terms of the technicality of the process → this is more a question of your wider hosting stack…
Most hosting providers (especially those operating cPanel) will provide some automated functionality to handle the generation renewal of the certs.
If you’re using a non-standardized host (such as Namecheap), or perhaps your own private VPS, you’ll need to get LetsEncrypt set up yourself. This can be difficult, time consuming and potentially confusing.
Whilst there are a number of services which can help you through the process, you need to remember that you’ll need to continue to renew the certificates every 3 months (which can get annoying).
Ultimately, if you’re looking to secure your website (perhaps a blog or simple eCommerce site), then using LetsEncrypt/SSLForFree.com is certainly something to consider.
We use it with 👾 PCFixes.com 👾, 🏆 RailsHosting.com 🏆 and a number of other services. We don’t need EV right now, and with all certificates using the same technology, there’s no need for us to get anything more than what we’re using presently.
If you’re interested in incorporating LetsEncrypt into your infrastructure stack, you’ll want to head to SSLForFree.com and see about generating a certificate…
🚨 BE CAREFUL 🚨→ there’s a limit on the number of certs you can generate per domain per week. If you generate over 5️⃣ certificates per domain, per week, you’ll be limited from creating any for 7️⃣ days.
We’ve been stung several times when trying to renew certs that had little issues with the server etc. Annoying because it means you have to wait another week to regain access…
☎️ Further Support ☎️
If you need further support, please feel free to contact us → we’re in the UK so please consider the ⌚ difference!
Live support is recommend IF you use your system for business or work.
If you need the help right now, getting an expert on screen gives you the ability to at least get a second opinion (and perhaps someone to help guide you through the fix). Live support is the only way to do this.
⚠️ Do NOT use live services that charge up front. ONLY use companies who provide live support without ANY up-front commitments…⚠️
✔️ PCFixes.com is the only recognized online system repair service
✔️ PCFixes.com is operated from the UK by veteran PC repair technicians
✔️ PCFixes.com gives 24/7 support to anyone needing system repairs
📴 PCFixes.com also resolves issues with Android & iPhone
PCFixes.com is FREE to talk to anyone and you’re welcome to stay on the line for as long as you require to get things fixed.
The real benefit of PCFixes.com lies in its contributor network → if you cannot get your system fixed directly, you can use their local network (call an out an expert to come and solve the issue for you)…
If you need any help identifying or solving the problem you’re experiencing, it’s worth using the service to gain a second opinion. If you want to keep them on the line whilst you try and fix it, you’re very welcome to do that…
📥 Thanks For Reading! 📥
If you need further help, please feel free to ask below…