About 6 months ago, Lets Encrypt was brought to my attention as I was once again scowering the internet for a cheap provider of SSL certificates. I run a handful of small websites where providing reliable encryption makes a lot of sense, especially given that passwords are often reused :)
It immediately looked promising. If you go to their website, you'll notice they have a ton of small backers, like: EFF, Chrome, Cisco, Mozilla, Facebook, Shopify, and many many more.
Before let's encrypt, I used a combination of two solutions:
My Own Certificate Authority
My first step was to generate my own root CA. I then generated the various certificates needed for my sites, and installed the root CA on all my devices.
This worked fine... but I still wanted to access certain internal tooling from other devices, and it was annoying every time it warned me. And it was annoying to keep up-to-date.
Oh, and also, Android felt the need to inform me I had a custom certificate installed on my phone.. All. The. Time.
In combination with my own root CA, I used Cloudflare to obtain a free SSL certificate and sit a a CDN/DDoS protection infront of my website. One of the great things is you can put it in unvalidated mode, where it uses downstream SSL, but won't validate the ceritificate.
Their service is great, but they do want to control your entire domain, meaning that you're restricted to their nameservers. I didn't want to use them for all my domains.
The Future: Let's Encrypt
After about a year of these ad-hoc solutions, I discovered Let's Encrypt. When I first found it, it hadn't released yet, but a few months later, it was out and available for use.
Their scripts were a little bit over-controlling for my taste. The scripts managed everything from obtaining a certificate, to installing, updating your server's config, and renewing. It basically wants to know your entire stack. With my solutions, I prefer a little less magic involved.
I then found that there were some people beginning to write their own scripts that follow the ACME protocol.
The first I started to use was letsencrypt-nosudo, which implements ACME in a way that doesn't need sudo, but the process still required a few manual steps. This worked fine for a while, but I did eventually need some automation since their certificates expires after 3 months (Which I'd argue is a good thing, as it forces you to keep track of your certificates!)
Finally, I landed at acme-tiny and my wrapper script acme-tiny-manager. acme-tiny is a great script that does the negotiation with lets encrypt after you've generated the appropriate keys via
openssl. My script,
acme-tiny-manager, will make that a fully automated process, and creates a file system structural so renewal can happen without any user input.
I now have all my sites, both public and internal, using strong encryption. I feel happy with my solution, and I'd highly recommend let's encrypt if you're looking for a way to secure your sites.