Home & Office

How to use Let's Encrypt to secure your websites

Let's Encrypt is easy to use and free -- no wonder it's the most popular Certificate Authority for securing websites. Here's how you can use it.
Written by Steven Vaughan-Nichols, Senior Contributing Editor

Securing your business website with HTTPS isn't just a good idea, it's a necessity. Google Chrome now marks HTTP payment and login pages and search pages as insecure if they're not using HTTPS. Fortunately, Let's Encrypt makes it both free and easy to lock down your websites.

After countless website security attacks, the Internet Security Research Group (ISRG) started the Let's Encrypt project in 2015 to make it easy for everyone to secure their websites.

The ISRG's members includes Akamai, Cisco, Electronic Frontier Foundation (EFF), and Mozilla; the group is managed by The Linux Foundation. The group's purpose with Let's Encrypt is to provide free, automated, and open security certificate authority (CA) for everyone's benefit. Let's Encrypt enables website owners to obtain security certificates within minutes, enabling a safer web experience for all.

As ISRG executive director Josh Aas said when the group was founded, "Encryption should be the default for the web. The web is a complicated place these days; it's difficult for consumers to be in control of their data. The only reliable strategy for making sure that everyone's private data and information is protected while in transit over the web is to encrypt everything."

It worked. Two years after Let's Encrypt issued its first certificate, it has today issued more than 100 million certificates. Indeed, Let's Encrypt is now the biggest CA of them all.

So how can you use it to protect your website? Like this:

First, I'm presuming you're using Linux for your web server. If you're using Windows Server, the only good resource I've found is Rick Strahl's Using Let's Encrypt with IIS on Windows.

If you want to install Let's Encrypt manually, the cloud and hosting provider Linode has an excellent guide for installing Let's Encrypt on Debian and Red Hat-based Linux distributions. But, if you want to do it the easy way, I recommend using an Automatic Certificate Management Environment (ACME) protocol client.

ACME is a key part of Let's Encrypt. By automating public-key infrastructure (PKI) certificate generation, ACME makes it possible to generate millions of secure certificates quickly.

The best ACME client is Certbot. The EFF developed Certbot to make it as easy as possible to secure your website with both Let's Encrypt or any other CA that supports ACME.

You can use it to automate certificate issuance and installation for your site or use its expert modes for more control. Certbot supports most Linux distributions, FreeBSD, OpenBSD, and macOS. It doesn't support Windows. For web servers, the program supports Apache, Nginx, and Haproxy. You can also use it with the Plesk server host control panel.

To use Cerbot you need root access to a Unix/Linux shell. First you must install Cerbot using either shell commands or your operating system's software package management program such as Synaptic. The program also requires Python 2.6, 2.7, or 3.3+.

It's possible that Cerbot is already on your server if you're using a web-hosting service. In that case the command may be named cerbot or letsencrypt.

Once installed, you simply run the program from the shell. For example, to install it on Ubuntu 16.04 -- the long-term support version of this popular Linux distribution -- with the Nginx web-server, you run:

$ sudo certbot --nginx

Cerbot will then walk you through the process of obtaining and installing a certification interactively. The process is quite simple. You only really need an administrative email address for your certificate, be able to prove you control the domain(s) you're requesting a certificate for, and agree to Let's Encrypt terms.

If you want more control over the process, run the command:

$ sudo certbot --nginx certonly

Let's Encrypt certificates only last for 90 days, so it's a good idea to renew your certificates automatically before they expire. To deal with this, first run the command:

$ sudo certbot renew -dry-run

to make sure it works properly. Once that's been established, put

certbot renew

in your cron inittab or systemd sshd.service unit file.

Finally, starting in January 2018, Let's Encrypt will support wildcard domain names. This will enable you to support example.com, mail.example.com, www.example.com with one certificate. For now you need to manually install one certificate for sub-domains.

You do this with the command:

$ sudo certbot-auto -d example.com -d mail.example.com -d www.example.com -d example.org

The first domain name will be the basedomain used by Let's Encrypt to create the certificate. Therefore, you should always start with the simple domain name. For instance if we were to do this with www.zdnet.com, we'd use zdnet.com as the first argument in the command.

Finally, after you set up your first domain, check to make sure it's working. The easiest way to do this is to use Qualys' SSL domain test page. You pass the name of your newly secured domain with the following syntax:


For basic protection, that's all there is to it. Considering how easy it is to do, how much more secure your site will be, and how much easier it will be for users to find and use your site, this is a no-brainer. Secure your site with Let's Encrypt today.

Related Stories:

Editorial standards