Let's encrypt - Zero-to-hero guide

The recipe to go from zero to HTTPS for free

This doc is half-way between a tutorial and a shell script, read, understand, execute… Profit!

Understand what you are doing

I don’t know you, but when it comes to security, if you don’t have a high-level view of what you are doing, things won’t work or you will probably fuck up thinking you did right when you didn’t!

Producing SSL certificates has been traditionally something you’d pay for, and sometimes a lot of money. These days you can get the same for free, how come?

The costly part of a certificate is the identity endorsement, which happens because some trustworthy entity, tells your browser: yes, this guy (your service) is who you think it is. In the past, those entities were fully dedicated to identity endorsement, but nowadays, Let’s Encrypt is a trustworthy entity that provides certificates for free.

Of course, those entities want people to generate their certificates programmatically, so you don’t bother them. How do you do that? Through the ACME protocol!*

Before, you would have needed to set up an ACME server, but now some large enough companies have “graciously” deployed servers to make it even easier.

So, Google will interact with Let’s Encrypt to produce your certificates, and it will happen in 2 steps:

Let’s get going

You will first take care of the right side, marked with 1: get Google to trust your domain.

Step #1

Enable your Google Cloud account to act as a Certificate Authority.

You need to follow this configuration up to the Request certificates section. You do this to be able to “speak ACME” with Google, which involves some steps. This is a one-off thing, once done, next steps will be rinse-and-repeat for every new certificate.

# 1 - Ensure GCloud is installed
$ sudo snap install google-cloud-cli --classic
# 2 - Go to GCloud folder
$ cd <Installation_folder>/GCloud/
# 3 - Create a project within GCloud for this, I called mine "chiringodns"
# 4 - Enable the user francisco@messengersell.com to operate PublicCA features
$ gcloud projects add-iam-policy-binding chiringodns --member=user:<your_user_email> --role=roles/publicca.externalAccountKeyCreator

Step #2

Now you can “speak ACME” with GCloud to generate your certificates with Google endorsing your authority.

You do that with a tool called certbot.

# 5 - Ensure CertBot is installed
$ sudo apt-get install certbot

# 6 - Generate certificates with CertBot
$ sudo certbot certonly --manual

Google and Let’s Encrypt need to verify you control the domain and the application behind it. For that you will be challenged twice.

It is called a challenge, because it is, sort of: ok, so you say this is your domain? Prove it! Deploying that DNS record proves you have control over your domain to deploy it, hence it is your domain. The same goes at the application level.

Domain-level challenge: is this your domain?

At the domain level, certbot will ask you to deploy a TXT DNS record in your DNS settings.

Before continuing, make sure the record is deployed and active, you can use dig for that:

$ dig _acme-challenge.chiringo.co. TXT

; <<>> DiG 9.18.28-0ubuntu0.24.04.1-Ubuntu <<>> _acme-challenge.chiringo.co. TXT
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34730
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;_acme-challenge.chiringo.co.	IN	TXT

;; ANSWER SECTION:
_acme-challenge.chiringo.co. 14400 IN	TXT	"<YOUR_CHALLENGE_HERE>"

;; Query time: 82 msec
;; SERVER: 127.0.0.53#53(127.0.0.53) (UDP)
;; WHEN: Sun Dec 08 19:51:47 CET 2024
;; MSG SIZE  rcvd: 112

The ANSWER SECTION should show the challenge Certbot generated for you.

Once you get a successful response (should take seconds, or one minute), you can hit continue in certbot.

Application-level challenge: is this your app?

At the application level, certbot will ask you to deploy a file accessible through a URL that verifies you control the application accessible through your domain name.

# Certbot will generate a file with a challenge
# you need to make that file accessible on your app
<Installation_folder>/GCloud/challenges/X672nRD7l_S-yAua463hf3423NsVIJNy6W4PcQCVTs
Contents: X672nRD7l_S-yAua463hf3423NsVIJNy6W4PcQCVTs.hn-B3MS8E7_52qlz6NyFZgr9lNPN8wLbSee_Y35pk_4
# Now you need to make that file accessible at the following URL:
# http://chiringo.co/.well-known/acme-challenge/X672nRD7l_S-yAua463hf3423NsVIJNy6W4PcQCVTs
# NOTE: the filename only contains the first part of the hash up to the dot!!!
# Confirm it is deployed hitting the URL with curl
$ curl http://chiringo.co/.well-known/acme-challenge/X672nRD7l_S-yAua463hf3423NsVIJNy6W4PcQCVTs
# You need to see the contents of the file, the larger hash above

After that, you can hit next on certbot and if all went well, it will create your certificate files:

That’s it! With those two files, you can get a legitimate HTTPS URL, the left part marked with 2 in the diagram below is achieved, your browser can trust the URL you are visiting:

The details for uploading them differ for each cloud provider, so I’ll leave them out of this cheatsheet.

Some important tips before wrapping up:

  • Let’s Encrypt certificates are free, but expire every 90 days, so you must re-generate them. The next time it will take much less to renew your certificates (I’ve done it in under 5 minutes).

  • Keep your previous certificate files and URLs; they are used to build trust over time (if you have the previous certificates, the chances of you being trustworthy increase).

  • Have some patience with the GCloud setup, can get a bit tedious, but once done, this is pretty powerful and everything else is rinse-and-repeat.

Profit!!!

Refs: Let’s Encrypt

Updated on
Useful quotes