Let's Encrypt 免費讓你的網站升級成 SSL Ready

Our Commitment to Protecting Your Information by Marissa Mayer, Yahoo CEO

2013 年底時,美國方面爆出政府直接拉線路進 Yahoo 機房偷取使用者資料,所以在2014 年初時 Yahoo 宣布全面使用 SSL 連線來保護連線資料。但買一個 SSL 憑證實在是太貴了,如果一堆 domain 的話,更是負擔不起。所以在自已用的小站通常都用 self-sigh 來解決這個問題,只是使用時會一直被 Browser 靠腰說你的 SSL 是不合法的。 時至今日, Internet Security Research Group (ISRG) 組織為了網路安全,提供了免費的 SSL 申請服務 - Letsencrypt ,主要有下列幾項特色:

  • Free: Anyone who owns a domain name can use Let’s Encrypt to obtain a trusted certificate at zero cost.
  • Automatic: Software running on a web server can interact with Let’s Encrypt to painlessly obtain a certificate, securely configure it for use, and automatically take care of renewal.
  • Secure: Let’s Encrypt will serve as a platform for advancing TLS security best practices, both on the CA side and by helping site operators properly secure their servers.
  • Transparent: All certificates issued or revoked will be publicly recorded and available for anyone to inspect.
  • Open: The automatic issuance and renewal protocol will be published as an open standard that others can adopt.
  • Cooperative: Much like the underlying Internet protocols themselves, Let’s Encrypt is a joint effort to benefit the community, beyond the control of any one organization.

這項服務在 2015/12/3 已經 Open Beta 了,任何人可以直接使用,不需申請。

Install

使用方法也很簡單到 github 下載 letsencrypt client 後,直接執行 ./letsencrypt-auto --help all 就可以看到所有的說明和使用方法。

Renew

預設的 SSL 90 天後就會過期,所以我就排個 cron 每天去跑一次。 這個 Script 會刮出所有 apache2 底下有開 443 port 的 servername 去 renew SSL。其中 --renew-by-default--agree-tos 開啟後 CLI 介面不會問東問西的選項。 [shell title=“Sample renew script”] #!/bin/sh /usr/sbin/apachectl stop /home/whatup/letsencrypt/letsencrypt-auto certonly -a standalone –renew-by-default –agree-tos `grep -ih servername /etc/apache2/sites-enabled/*|grep 44 3 | sed ’s/:443//g’ | sed ’s/ServerName/-d/g’ ` –email whatup.tw@gmail.com /usr/sbin/apachectl start [/shell]

Rate Limit

流量限制如下,自已要多加注意,要不然會被檔掉。

  • Registrations per IP is 10 registrations per 3 hour window.
  • Certificates per name is 10 certificates per 59 days.
  • Pending registrations per account is 300 per 1 week.

Result

看到綠色合法的 SSL Icon 就是開心! Screen Shot 2015-12-03 at 9.47.04 AM Screen Shot 2015-12-07 at 10.24.43 AM Screen Shot 2015-12-07 at 10.25.09 AM Screen Shot 2015-12-07 at 10.25.30 AM Screen Shot 2015-12-07 at 10.24.56 AM

資訊事 httpsletsencryptsecurityssl