Free SSL Certs, Automatically Renewed

Free SSL Cert, Automatically RenewedSSL certificates are basically required for all modern web sites. The problem is that (1) they cost money, and (2) you have to renew them every year or so.  It gets to be a real pain, especially if you manage multiple sites. 

There is an alternative-- create a (free) self-signed certificate, and give it an expiration of 99 years, but anyone who visits your site will see a huge warning message that it is unsafe.

The solution:  Let's Encrypt.

Free SSL Certificate using Lets Encrypt

 

How Does It Work?

The truly remarkable thing about Let's Encrypt isn't that it's free, it's that your certificates are automatically renewed before they expire.  This is done thanks to a server-side program which runs twice a day, called "certbot".  Luckily it's extremely easy to install and set up.  I had it set up for my site flightpathlabs.com in about five minutes.  I followed this guide for setting it up with Ubuntu 18.04.  (Here's the guide for Ubuntu 20.04, and for Ubuntu 22.04).

Using the certbot program, you inform Let's Encrypt that you want a new certificate for your web site.  LE then sends back the relevant files, and automatically configures your apache vhost file.  All certs expire in 90 days, but don't worry-- after 60 days have passed, your server will automatically check with Let's Encrypt and request a new cert, and the process repeats forever.  And amazingly, it's all completely automatic.

 

Why 90 Days?

In a blog post, Let's Encrypt explains their reasoning for their certificates lasting only 90 days.  Simply put, this lifetime avoids mis-use, and encourages automation.  When everything is automated, the lifetime doesn't really matter as much, and in fact they have stated they may even go shorter than 90 days in the future.

 

Can I Trust It?

Absolutely!  The certificates issued by Let's Encrypt use the same encryption algorithms and security as paid SSL certs.  I set everything up with default values, and my most recent cert was 2048 bit, using sha256 with RSA for the signature-- exactly the same as my most recent paid SSL cert.  The only difference is Let's Encrypt is free and automatically renews (when set up using certbot).

 

Do All Web Browsers Accept It?

The short answer is: Yes, pretty much anything you throw at it (updated within the last 10 years), will accept LE certificates just fine.

The long answer is: Let's Encrypt is "counter-signed" by older and trusted certificate authorities, which means that as long as those CA's are trusted by the browser, then the LE certificate will be accepted.  But, there are some very old browsers which may not accept it.

Check out the compatibility guide from Let's Encrypt for a better idea.