Almost a year ago, an initiative to deliver a free, secure and easy SSL/TLS to everybody on the web was announced. That’s Let’s Encrypt. I’ve been following the project closely ever since and, yesterday, have received an invite to test Let’s Encrypt through their closed beta program.
Therefore… my personal website is available through HTTPS and SPDY1! This was the first time I had anything to do with setting up TLS and I can’t say it was a fun experience. I don’t even want to think how bad setting up TLS is through traditional means.
Once Let’s Encrypt is made available publicly, setting up a server to use TLS should be as easy as
letsencrypt tool onto your server and answering two or three questions after launching
said tool. Ta-dah! TLS is up! However, this being a closed beta and my server being one of those
low-end kind, I ran into some issues, and some manual fiddling was necessary to set the things up
Installation process of the
letsencrypt tool compiles some nontrivial native libraries. 192MB
available on my server2 were not enough for GCC to deal with the task and I had to compile the
necessary libraries elsewhere. I also opted to use the manual authenticator, because the nginx
authenticator has a scary warning about it not working yet. Once the authentication process was
complete, though, all the necessary certificates were up and ready to go in
before I counted to three. Awesome!
letsencrypt tool indeed works as advertised – there is nothing preventing
Let’s Encrypt from achieving that – I see absolutely no more reason for a website without TLS
support exist. On the other hand, there are plenty of reasons for non-TLS websites to implement
TLS: other than the “more security” propaganda, some browser vendors are strongly encouraging
encryption via miscellaneous means too. For example, Firefox Nightlies now present website as
insecure when a password field exists on a HTTP site and some browsers (Chrome and
Firefox, at least) support HTTP/2 and SPDY over TLS only.
Success of Let’s Encrypt would also strongly influence the market of SSL/TLS certificates – competition would be forced to provide at least a single free or very cheap (sub-€/sub-$) option for obtaining a certificate signed by them and to greatly improve the UX of generating and managing said certificates. I hear things aren’t in a good shape currently.
All in all, I’m now even more enthusiastic about the future of the web and what Let’s Encrypt project is bringing to the table. Thanks for all the hard work!
HTTP/2 has been enabled in nginx 1.9.5 and I will be enabling that as soon as this version of nginx lands into Ubuntu repositories.↩︎
Interestingly, I couldn’t create any additional swap space either, because for some dumb reason the VPS provider had removed permissions necessary to use the
swapon(2). Low-end servers, heh…↩︎