More from: let’s encrypt

SSL for free forever

As you undoubtedly know if you are a web server administrator, TLS/SSL is an evolving encryption protocol that started with Netscape long ago. The object of this global movement is to protect people from those who would violate their privacy. From WikiPedia:

Transport Layer Security (TLS), and its now-deprecated predecessor, Secure Sockets Layer (SSL),[1] are cryptographic protocols designed to provide communications security over a computer network.[2] Several versions of the protocols find widespread use in applications such as web browsingemailinstant messaging, and voice over IP (VoIP). Websites can use TLS to secure all communications between their servers and web browsers.

Along with any noble endeavor soon arises ignoble exploitation, in this case the sale for outrageous prices of “security certificates” or “ssl certificates”. As is true with so many aspects of managing a LAMP server one rarely has personal intimate knowledge of the inner workings of TLS/SSL certificates and routines so buying from the hosting company is less hassle but expensive.

The Let’s Encrypt group has bravely stepped up to make TLS/SSL certificates available, without charge, to everyone. I recommend reviewing documentation on their web site. Let’s Encrypt is a free, automated, and open certificate authority brought to you by the non-profit Internet Security Research Group (ISRG), 1 Letterman Drive, Suite D4700, San Francisco, CA 94129, USA.

The objective of Let’s Encrypt and the ACME protocol is to make it possible to set up an HTTPS server and have it automatically obtain a browser-trusted certificate, without any human intervention. Read more about it on the Let’s Encrypt page. This is accomplished by running a certificate management agent on the web server. This works with dedicated hosting, usually not shared hosting, because you must be able to log in as root to install and run the certificate management packages. In most “WordPress Shared Hosting” arrangements you will not be permitted to have this level of access, but there are other approaches you might be able to use discussed on the Let’s Encrypt Getting Started page. Also In WordPress Shared Hosting you most likely WILL have cPanel, so another approach is possible when you have been blessed with cPanel.

If your hosting provider doesn’t want to integrate Let’s Encrypt, for example because he wants to sell you certificates at $79 EACH PER YEAR, but cPanel does support uploading custom certificates, you can install Certbot on your own computer and use it in manual mode. In manual mode, you upload a specific file to your website to prove your control. Certbot will then retrieve a certificate that you can upload to your hosting provider. SSL management is in the Security section of the cPanel screen. This is labor intensive, and you must repeat it every three (3) months, but it is your best solution if you cannot log into your web server as root and don’t want to pay the extortion to buy certificates from your hosting provider.

cPanel is commonly provided in dedicated hosting agreements and if you can log in as root then there is an amazing and very affordable product that eliminates the cost of obtaining TLS/SSL certificates and installing them – literally reducing the entire process to a couple of mouse clicks: FleetSSL. Cost? $30US for all web sites on one server, forever. Delivery? Immediate, via web links in email.

 

Over this weekend I installed the FleetSSL product on one of my customer’s servers: it worked immediately and has been reliable (so far anyway). There are however constraints which make it unavailable to “shared hosting” arrangements, in particular you must have root access to add the FleetSSL package to your package manager and install the FleetSSL package. The letsencrypt package repository path is downloaded and copied to /etc/yum.repos.d/ with wget and installed in the usual way with yum.

Concise instructions are provided on their web page https://letsencrypt-for-cpanel.com/docs/for-admins/installation/. I would publish the instructions here, however for some reason WordPress is refusing to allow that specific text, possibly because it looks like what it is, server administrator commands.

You may use the free version for three days or request a longer evaluation period (I was granted 14 days) and after you have purchased then your /etc/letsencrypt-cpanel.licence file contents will be provided via a link in email.  Simply replace the contents with the new data and you are done.