A long time ago in a galaxy far, far away… just kidding. The premiere of the new Star Wars movie is still over a week away. However, something else exciting happened not at all long ago (December 3rd, to be precise) – the release of the public beta of the Let’s Encrypt service. Why should you care? In a nutshell, this service gives you the ability to install a free, trusted certificate on any of your websites, which will not only encrypt the connection between the website and the visitor’s browser, but also display your website as trusted, meaning that the visitor will not be shown a warning about the certificate’s authenticity. This advantage over self-signed certificates (which are also free, but not trusted) is especially relevant when securing an E-commerce website. In addition to issuing free certificates, Let’s Encrypt also provides the tools for recalling and renewing them, which, in theory, should save system administrators a lot of time and effort. You can read more about the project by visiting its homepage, found at Let’s Encrypt site .
Granted, you could buy a TLS certificate before, but it made little financial sense for small websites with low readership, such as personal websites. Another company (StartCom) has also been offering free certificates for some time, but they come with a number of limitations (no commercial usage, paid certificate revoking, etc). In addition, requesting a free certificate from StartCom can be only done manually, while Let’s Encrypt certificates can be issued automatically, saving time and effort.
The Let’s Encrypt project comes with a number of caveats, namely:
- The issued certificates remain valid for 90 days, and has to be renewed on a regular basis. Naturally, if you decide to update manually, you’re bound to forget to do it sooner or later.
- The official Let’s Encrypt client features only a CLI interface.
- The client works by editing the Apache configuration files, which introduces the chance of something going wrong (with potentially unpleasant results).
- Nginx support is still in the experimental stage.
- Client installation requires the presence of development tools (autotool, gcc) on the server to compile dependencies (cryptography, psutil, python-pip, python-virtualenv, virtualenv, cffi), which is not generally recommended on a production server.
If you manage your server via Plesk, none of this concerns you. We compiled a number of Let’s Encrypt packages for most of the OSes supported by Plesk and placed them in a separate repository on http://autoinstall.plesk.com/. In addition, we prepared a Let’s Encrypt extension for Plesk, consisting of two parts:
- Backend – the official Let’s Encrypt CLI client together with a plugin facilitating its integration with Plesk. The plugin uses the Plesk XML API to validate and install certificates.
- The extension itself, providing the user interface and automatically renewing the certificates.
Let’s try it in action. Log in to Plesk and install the Let’s Encrypt extension via the Extension Catalog:
After the installation, a shell script is run. It fetches dependencies (sets up repositories and installs missing packages), creates a virtualenv virtual environment, and installs the Let’s Encrypt console client with the Plesk plugin inside.
Next, click the installed extension, select a website, and install the certificate:
If you have already used the CLI client, you will recognize the interactive mode dialog in this web form. On a “success” message, follow the link
to open the website and see the green “https” icon in the address bar.
Check that the certificate renewal task has been added to Tools & Settings > Scheduled tasks:
And there you have it. A free certificate for your website, obtained from the Plesk interface with a few clicks. It already works on this site, on this page, look at your browser’s address bar! Give this extension a whirl and let us know what you think in the comments!