Let's Encrypt - Free SSL Certificates

UPDATE 2018-01-13: use certbot - it's in Debian and Fedora at least, and definitely the easiest way to get your Let's Encrypt certs.

UPDATE 2016-01-05: a better (for me, anyway) command line solution: acme-tiny.

The stated goal of http://letsencrypt.org/ is to make SSL certificates easy and free so secure connections are everywhere. To this end, they've created a free automated system for the generation and renewal of valid (ie. not self-signed!) SSL certificates. Note that the certs they generate are only valid for 90 days: it's their intent you should automate renewal with a cron job (I'm okay with that).

Starting from the Quick Start Guide, they suggest the following:

$ git clone https://github.com/letsencrypt/letsencrypt
$ cd letsencrypt
$ ./letsencrypt-auto --help

I thought "I'll be safe and do this in a throw-away account." First thing the script asks: "sudo password." <sigh> So fine: I did it on a throw-away (virtual) machine.

The first thing the script does is takes over your package manager and starts installing everything it thinks it needs (unless it doesn't know your OS - it couldn't figure out TinyCore Linux - then it gives some basic instructions and bails). All those packages to run the "--help" command, that makes sense. I'm mildly unimpressed to see that a brand new application is using Python 2.x. Couldn't they have gone with 3.x? The help also notes that (at least for this utility, letsencrypt-auto) nginx support "is experimental, buggy, and not installed by default."

Further tinkering revealed a number of things, but the primary one is that if you're using letsencrypt-auto, not only does it insist on full root access, it also insists on being run on the host that serves the domain name you're requesting the certificate for. It does this by posting a page on your web server and then checking it from the certificate generating server. I can see the logic to this - ie. proof of ownership (or at least control) of the domain - but all of this could be achieved without the script having complete control of the machine.

Apparently I wasn't alone in being unimpressed with this "let me have all the things" attitude: "I love the Let's Encrypt devs dearly, but there's no way I'm going to trust their script to run on my server as root, be able to edit my server configs, and have access to my private keys. I'd just like the free ssl certificate, please:" Let's Encrypt Without Sudo.

I get what they're trying to do, and I realize that it's going to be more difficult if you won't let them seize control of your machine ... But I prefer not to escalate scripts unless I have to and I'm willing to work a little harder for it. So I'll be looking at the scripts other than letsencrypt-auto and at "Let's Encrypt Without Sudo."