Let’s Encrypt? Sure, Why Not?

The question “Would you put your credit card info on a website that doesn’t have the love green padlock?” should elicit the same vehemently negative response as “Would you wade through a pool of piranhas without wearing chainmail?” Admittedly an SSL certificate isn’t the be all end all of safe browsing, but it’s a rather visible baseline indicator of how seriously the site owner takes security. It’s like what a friend told me about OSHA inspectors: they look for bad housekeeping and a sloppy work area, as they’re indicative of much bigger problems.

More Popular Than “Blep”?

With the recent developments in the abrogation of digital privacy, “SSL” will most likely be hot on the heels of “VPN” as the most popular Internet acronym of 2017. And here I was thinking a week ago that I wanted to put an SSL cert on my sites to improve SEO visibility and to simply get rid of that “Not Secure” label on the address bar. Once upon a time, those digital certificates typically came from one or two vendors and cost as much as a well decked-out 15″ MacBook Pro Retina. And they were kind of a pain to install.

A short while back, a mentor mentioned letsencrypt.org as a free, open, and automated certificate authority, and as part of my forays into AWS/Google Cloud hosting I decided to give it and its accompanying CertBot tool a try.

I Think We’re Secure Now
Look, Ma, I’m secure!

Five minutes later, and my Google VM-hosted site is secure! An hour later, I’ve slapped SSL certs on four other sites, this time hosted on AWS and Digital Ocean! A good portion of that hour was spent doing the head+desk thing before realizing I needed to (a) open port 443 on the host and (b) undo the Apache booboo that was making normal HTTP listen on 443. Live and learn and laugh.

I haven’t tried using Let’s Encrypt and CertBot on a GoDaddy VPS or a Media Temple Grid Server, but since it does not appear that you need root permission, that may be something I’d look into at some point.

You do need to have a fully qualified domain name for your host, and you also need to set up a cron job to renew the certificate every 90 days. Minor issues for something this quick, easy, and cheap.

You’re Not My Phishing (Pay)Pal

It’s also worth noting that literally the day after I’d installed these SSL certs, there were a couple of articles in my Android news feed talking about how PayPal phishing sites were using Let’s Encrypt for digital certificates. Leave it to the malfeasants to go ruining things for the rest of us, just like pseudoephedrine. Or something.

UPDATE: A New Domain and an Updated Certificate

Fast forward a week or so, and after having launched another pair of Let’s Encrypted websites, I decided to revisit my OSHA compliance web app and get a separate domain for it. Registering the domain was a cinch, thanks to Google, although it took me a few hours of waiting before realizing I had to create zone records in another section of the DNS management form, and changing the SSL certificate on the site took a bit of trial and error (and updating a forwarding setting on the default Apache configuration among other things).