letsencrypt

letsencrypt

June 8, 2024 | seedling, permanent

tags :

Summary #

ref Let’s Encrypt is a free, automated, and open certificate authority (CA), run for the public’s benefit. It is a service provided by the Internet Security Research Group (ISRG).

We give people the digital certificates they need in order to enable HTTPS (SSL/TLS) for websites, for free, in the most user-friendly way we can. We do this because we want to create a more secure and privacy-respecting Web.

You can read about our most recent year in review by downloading our annual report.

The key principles behind Let’s Encrypt are: #

  • Free Anyone who owns a domain name can use Let’s Encrypt to obtain a trusted certificate at zero cost.

  • Automatic Software running on a web server can interact with Let’s Encrypt to painlessly obtain a certificate, securely configure it for use, and automatically take care of renewal.

  • Secure Let’s Encrypt will serve as a platform for advancing TLS security best practices, both on the CA side and by helping site operators properly secure their servers.

  • Transparent All certificates issued or revoked will be publicly recorded and available for anyone to inspect.

  • Open The automatic issuance and renewal protocol is published as an open standard that others can adopt.

  • Cooperative Much like the underlying Internet protocols themselves, Let’s Encrypt is a joint effort to benefit the community, beyond the control of any one organization.

Challenge types #

ref

HTTP-01 challenge #

The HTTP-01 challenge is the most common type and requires placing a token file on your web server. It is easy to automate but cannot be used if your ISP blocks port 80 or for issuing wildcard certificates.

DNS-01 challenge #

The DNS-01 challenge involves placing a token in a TXT record in your DNS. It is more complex to configure but allows for wildcard certificates and works well with multiple web servers.

TLS-SNI-01 #

The TLS-SNI-01 challenge has been deprecated and disabled since March 2019 due to security issues. It initially worked via a TLS handshake on port 443 but is no longer supported.

TLS-ALPN-01 #

Developed after TLS-SNI-01, the TLS-ALPN-01 challenge uses a custom ALPN protocol and is performed over TLS on port 443. It is suitable for large hosting providers but is not supported by Apache, Nginx, or Certbot and cannot validate wildcard domains.

Links to this note

Calendar June 9, 2024

Go to random page

Previous Next