There are a lot of good arguments for enabling https for websites but I kept putting it off: there is a cost to get a certificate and that would be more than my yearly server cost. Additionally, my website doesn’t handle any sensitive information.
But deep down, I know these are just excuses.
Then I noticed Let’s Encrypt was mentioned a few times on Twitter and decided to check it out. Well, it’s FREE.
From its website,
Let’s Encrypt is a free, automated, and open Certificate Authority.
Okay… So what is a certificate authority?
In cryptography, a certificate authority or certification authority (CA) is an entity that issues digital certificates. A digital certificate certifies the ownership of a public key by the named subject of the certificate.
So it seems Let’s Encrypt issues certificates for your website so you can enable https.
Okay, why do I need a certificate and who is it really for?
How SSL works is fairly complicated and I haven’t dug into the details. It invloves a handshake between the client and the server, a common secret key and a lot of validation. It uses symmetric cryptography once the connection is established. The key exchange problem was really fascinating to read about.
You can actually find the list of trusted certificate authorities in your browser settings. Interestingly though, when I tried to find Let’s Encrypt‘s certificate in Chrome (Settings -> Show advanced settings… -> HTTPS/SSL -> Manage certificates…), I couldn’t find it. Ha?
If Let’s Encrypt is not trusted, then how can browsers trust the certificates it issues?
Turns out Let’s Encrypt Authority X3 is not a root certificate and itself is signed by one, ISRG Root X1. The problem is, ISRG Root X1 is issued by a new certificate authority so most browsers don’t trust it yet. If they can’t trust ISRG Root X1, they won’t trust anything it signs. As a result, they wouldn’t trust Let’s Encrypt Authority X3, nor would they trust any certificate signed by it. This problem was solved by cross-signing. IdenTrust cross-signs Let’s Encrypt and since IdenTrust is already trusted so certificates signed by Let’s Encrypt will be trusted as well. Here is an image from Let’s Encrypt‘s website that demonstrates this relationship.1
I found both ISRG Root X1 and DST Root CA X3 in my keychain.
I use DigitalOcean and there is a detailed tutorial on its site on how to use Let’s Encrypt and set up https with ngnix.
It’s fairly easy and don’t forget to allow ssl traffic.2
Use Chrome’s developer tools panel, you can view the information about the connection to your site.
Notice that the root certificate is DST Root CA X3 not ISRG Root X1.
You can get a overview of the connection in Chrome’s developer panel.
The whole process was defintely easier than I thought.3 Kudos to the Let’s Encrypt team!
- 1.There certainly is a difference between a certificate authority and the certificates it issues. I somewhat use them interchangably. 😬 ↩
- 2.I followed another article on DigitalOcean’s site at first and didn’t change the firewall settings… 😒😒😒 ↩
- 3.Except that I wasted some time trying to figuring out if I configured Nginx wrong when I should’ve enabled https traffic… 😒😒😒 ↩