Free HTTPS certs for all – Let's Encrypt opens doors to world+dog

And it's pretty easy to install via a command line

By Chris Williams, Editor in Chief


How-to The Let's Encrypt project has opened to the public, allowing anyone to obtain free TLS certificates and set up HTTPS websites in a few simple steps.

It's a major leap forward in encrypting the world's web traffic, keeping people's information and browser histories out of the hands of eavesdroppers and and other miscreants.

The certification-issuing service is run by the California-based Internet Security Research Group (ISRG), and is in public beta after running a trial among a select group of volunteers. The public beta went live at 1800 GMT (1000 PT) today.

Its certificates are trusted by all major browsers – Google Chrome, Mozilla Firefox and Microsoft's Internet Explorer worked in our office with fresh certs from the fledgling certificate authority.

Incredibly, it is almost too easy to use. You download an open-source client to your web server, and then one command will request and install a certificate, and configure your system to use it. And that's it.

Here's what this humble hack ran on a personal webapp development machine powered by Apache (yeah, yeah, kicking it old school):

cd ~/src
git clone
cd letsencrypt
./letsencrypt-auto --apache -d

You're then prompted for your sudo password. Next, the client installs its dependencies, and then asks for your email address so you can be contacted if there are any problems. You're also asked to agree to a set of terms and conditions. Next, it asks if you want to force all traffic to go through HTTPS – yes, obviously.

And then, bam. It's done. A 2048-bit RSA TLS 1.2 certificate with a SHA-256 signature installed and the server configured to use it. The cert gets an A from Qualys SSL Labs.

Crucially, this process can be completely automated – email addresses and agreement to the fine print can be set on the command line using --email and --agree-tos. This is especially important because you'll need to renew the certificates every 90 days, so it's probably best to do that automatically.

Full documentation is here and a quick start guide is here. The project's root certificates and intermediate certificates can be found here; the intermediates are cross-signed by IdenTrust.

Let's Encrypt is overseen by folks from Mozilla, Akamai, Cisco, Stanford Law School, CoreOS, the EFF and others, and sponsored by various internet organizations.

"It’s time for the Web to take a big step forward in terms of security and privacy. We want to see HTTPS become the default. Let’s Encrypt was built to enable that by making it as easy as possible to get and manage certificates," the team wrote in a blog post today. There's a reward going for anyone who can find a security hole in the service.

"We have more work to do before we’re comfortable dropping the beta label entirely, particularly on the client experience. Automation is a cornerstone of our strategy, and we need to make sure that the client works smoothly and reliably on a wide range of platforms. We’ll be monitoring feedback from users closely, and making improvements as quickly as possible."

Let's Encrypt's client software emerged in early November, and signed its first certificate in September. Since then the team have been squishing bugs in their systems, managing to catch at least one nasty flaw before going public.

You can typically expect to pay for SSL certificates, although some authorities do offer freebies. None so far, to our knowledge, are as straightforward as Let's Encrypt's free service. ®

Sign up to our NewsletterGet IT in your inbox daily


More from The Register

Trend Micro tools tossed from Apple's Mac App Store after spewing fans' browser histories

Updated Data caught being siphoned off to outside server

Encryption? This time it'll be usable, Thunderbird promises

A generation that tried the PGP plugin weeps

Creepy or super creepy? That is the question Mozilla's throwing at IoT Christmas pressies

'Tis the season to be tracked by your connected water bottle

Super Micro says audit found no trace of Chinese spy chips on its boards

Vendor opens new investigation to refute bugging claims

Trend Micro AV nukes innocent Sharepoint code, admins despair

Servers fall over after JavaScript file trashed by mistake

No D'oh! DNS-over-HTTPS passes Mozilla performance test

Privacy-protecting domain name system standard closer

Cisco sneaks hardcoded secret root backdoor into vid surveillance kit

Who watches the watchers? Anybody who has the login

Bulk surveillance is always bad, say human rights orgs appealing against top Euro court

Liberty and pals seek to prove intrusive spy powers can never be justified

Mozilla grants distrusted Symantec certs a stay of execution, claims many sites yet to make switch

Delay 'in the overall best interest' of Firefox users

SEAL up your data just like Microsoft: Redmond open-sources 'simple' homomorphic encryption blueprints

How to work on encrypted data without having to decrypt it first