X
Popular Searches

How Do LetsEncrypt’s Free HTTPS/SSL Certificates Work?

Let's Encrypt.

Let’s Encrypt issues SSL certificates for free, which are used to secure and encrypt traffic on your website, and give you the green padlock in the URL bar. Without one, you’ll be stuck using HTTP, which isn’t very secure.

What Is an HTTPS/SSL Certificate?

When someone connects to your website, that person’s browser asks your website to identify itself, to make sure that nobody is intruding on your connection. It does this with an SSL certificate, which is given to you by a Certificate Authority (CA).

The CA keeps track of your domain name and associates it with your public key, used for encryption. Everybody connecting to your website can see that you’re using the correct key to encrypt your website’s traffic, so you must be who you say you are. As long as everyone trusts the CA, nobody malicious can forge new SSL certificates, as they will be signed by the CA and are only able to be issued by them.

This means that as long as you have an SSL certificate, nobody can spy on people’s connections while they’re using your website or can impersonate your website. This makes HTTPS very useful, and much more secure. With the rise of Let’s Encrypt, 93% of web traffic (through Google) is now HTTPS, and if your website isn’t, you’ll rank much lower in Google search results.

RELATED: What Is HTTPS, and Why Should I Care?

How Is Let’s Encrypt Different?

Let’s Encrypt is entirely free to use. This is unusual for a CA, as most of them require you to pay hundreds of dollars per year. This is the major advantage of Let’s Encrypt—if you don’t need anything fancy, you can easily secure your website with HTTPS.

Let’s Encrypt does have a few downsides, though. Their certificates are only valid for 90 days, but you can automate renewal of them, so it’s not a dealbreaker. They also only offer Domain Validation (DV) certificates, which simply secure your domain. They don’t offer Organization Validation (OV) certificates, which require you to register your business alongside them, and they don’t offer Extended Validation (EV) certificates, which require an extensive vetting process and will show your business name in the URL bar.

EV certificate for PayPal.

However, there’s not much benefit to an OV certificate, and you probably don’t need an EV certificate unless you’re running a bank or major institution, in which case you can probably spare the money. Even Amazon doesn’t have an EV certificate.

For most people, if you don’t mind having to renew your certificate every 90 days, nowadays there’s really not much point to having anything fancier than LetsEncrypt.

How to Set Up Let’s Encrypt Certificates

You’ll need to have command line access to the server you intend to install an SSL certificate onto. Alternatively, if you have a managed hosting provider like SquareSpace, your host may support Let’s Encrypt, with some having it enabled by default. Others, like GoDaddy, include SSL as part of their paid plans, and may lock you out of using alternative options. You can check if your provider is on the list, and how to enable Let’s Encrypt if it is. For this article, we’ll focus on manual setup running on your own web server.

To obtain a certificate, you need to use an ACME client, a program that will talk to Let’s Encrypt for you and verify that your domain name is legitimate. Let’s Encrypt recommends using certbot, a command line utility that will create certificates for you but also install them automatically into the web server you’re using.

If you don’t want certbot messing with your nginx or Apache config files, you can manually generate a certificate with a different ACME client. You’ll have to manually add it to your config, and you’ll have to manage renewing the certificate every 90 days (which you can do automatically, you’ll just have to set that up yourself). For most people, Certbot will do fine.

Installing and Using Certbot

Installation will vary depending on what OS you’re running, but Certbot only runs on Unix systems, so no Windows. It’s usually as simple as installing it from your distro’s package manager. For Debian-based systems like Ubuntu, that would be:

sudo apt-get install certbot

Though you will have to add the certbot repo to your package manager. Luckily, Certbot’s website has more complete installation instructions for each distro. Select which web server you’re using, and which OS you’re running it on. Certbot will give you a list of commands to install the necessary packages; run these, and wait for it to install.

When it’s done, you’ll want to run:

sudo certbot --nginx

Replacing the --nginx flag with whatever web server you’re using. Certbot will generate a new certificate and install it into your nginx config. You can actually run Certbot as a manual ACME client with:

sudo certbot --nginx certonly

This will generate a certificate file that you can manually deploy to your web server.

Certbot will automatically manage renewal on most distros with cron or systemd timers, so you won’t have to worry about having it expire. This cron job is usually located in /etc/cron.d/certbot if you want to make sure.

One thing to note is that this cron job only runs certbot renew once it’s done, which will not automatically restart your web server to apply the new config. You can attach an additional command to this cron job with --renew-hook, and pass it a command to reload nginx like so:

certbot renew --renew-hook "/etc/init.d/nginx reload"

You can also manually renew your certificates directly from the command line with:

sudo certbot renew

You will need to restart your web server after this as well.

Dealing with HTTPS Traffic

HTTPS works a bit differently than regular HTTP. HTTP default port is 80, which is usually open on web servers. HTTPS runs on port 443, so you’ll need to make sure this port is open in any firewalls you might have for HTTPS to work.

Additionally, you’ll probably want to block all HTTP traffic now that you have HTTPS. You can do this with an nginx rule:

server {
    listen 80 default_server;

    server_name _;

    return 301 https://$host$request_uri;
}

This will redirect all port 80 traffic to an HTTPS link. This replaces the default port 80 server, so make sure nothing else is running on that port.

Anthony Heddings Anthony Heddings
Anthony Heddings is the resident cloud engineer for LifeSavvy Media, a technical writer, programmer, and an expert at Amazon's AWS platform. He's written hundreds of articles for How-To Geek and CloudSavvy IT that have been read millions of times. Read Full Bio »

The above article may contain affiliate links, which help support CloudSavvy IT.