• Sai Prakash

Switching from costly traditional SSL certificates to free ones



The internet today is vast and filled with both friends and foes. With a rise in ransomware and man-in-the-middle attacks, SSL security is no longer optional for anyone running a real SaaS service for customers. Google Chrome even classifies websites not served over SSL as practically 'Unsafe' and warns users.


As a startup, we are always looking for ways to streamline our costs while keeping our operations running smoothly. Traditional SSL certificates were costing us several thousands of dollars per year. We decided to look to the tech community for better options and found Let's Encrypt to be a reliable option for startups and established companies alike. Let's Encrypt is a non-profit certificate authority run by the Internet Security Research Group (ISRG) that provides X.509 certificates for Transport Layer Security (TLS) encryption at no charge. It is no surprise that it is now the world's largest certificate authority, used by more than 265 million websites.


Normally, when we get to the end of our certificate validity, we have to jump through a few hoops and wait a few days to get the certificate vendor to issue a renewed certificate, all while charging those expensive fees. Switching our live production apps to certificates from Let's Encrypt took less than an hour!


There are two methods you can use:

  1. Generate certificates on your dev machine and update your build packages to include them.

  2. Setup certificate generation on your servers, with auto-renewal.

Depending on how your production environment is set up, you might actually want to use both.


The first method is fast and easy to execute. The basic steps are as follows:


Step 1: Install certbot on your machine.


We use Ubuntu and this was as simple as:

sudo apt install certbot

Certbot is a tool provided by the EFF (Electronic Frontier Foundation) that provides an easy-to-use interface to generate and renew Let's Encrypt certificates. You can look up more instructions on installing certbot on the website here: https://certbot.eff.org/.


Step 2: Request a certificate for your domain


The next step is to identify your domain (in our case - mindstaq.com) and request an SSL certificate. There were two decisions involved here: we wanted wildcard certificates (*.mindstaq.com) as the domain as we use sub-domains for API requests and other services. We also wanted to use a simple DNS entry (a TXT record) to prove that we owned the domain. Both of these were easy to incorporate into a single command-line request using certbot that you must run as the root user (and substituting yourdomain.com below with your actual domain):

certbot certonly \
   --manual \
   --preferred-challenges=dns \
   --email=you@yourdomain.com \
   --agree-tos \
   -d *.yourdomain.com

You will be asked a few questions about sharing your email (not mandatory) and logging your IP address for the request. Certbot then gives you instructions on creating a TXT record in your DNS server and the tool waits for you to perform this step before pressing ENTER to continue. Once the TXT record was created, we continued and our new certificates were generated immediately! On Ubuntu, these were created in the directory /etc/letsencrypt/live/yourdomain.com.


The tool created 4 files:

  1. cert.pem - This is the newly issued certificate for your site

  2. chain.pem - This is the certificate chain for your certificate.

  3. privkey.pem - This is the private key, required to use your new certificate for encryption on your site.

  4. fullchain.pem - This is the complete certificate chain.


Step 3: Use the newly created certificates in your apps/build.


MindStaq uses Node.js with ExpressJS to run all of its backend microservices and we were able to use the generated .pem files as-is in our Node build. For reference, here is an example snippet of code showing how we used the generated files to configure our HTTP/S server:

https
  .createServer({
      key: fs.readFileSync('/etc/letsencrypt/path/to/privkey.pem'),
      cert: fs.readFileSync('/etc/letsencrypt/path/to/cert.pem'),
      ca: fs.readFileSync('/etc/letsencrypt/path/to/chain.pem'),},
    app
  ).listen(443, () => {
    console.log('Secure HTTP server listening on port 443...')})

To read more about how to use the second method, of generating certificates on the servers directly, we recommend this useful article from DigitalOcean: https://www.digitalocean.com/community/tutorials/how-to-use-certbot-standalone-mode-to-retrieve-let-s-encrypt-ssl-certificates-on-debian-10


We hope this article was helpful and will save you time and money while keeping your software and customers secure! LLAP.



37 views0 comments

Recent Posts

See All