What is a TLS certificate
A TLS certificate is basically a file with various data like the doamins it is valid for, expiration date and most importantly a public key. This file is signed by a certificate authority (CA), which gurantees that the public key really belongs to the person operating the website.
What do I need a TLS certificate for
A TLS certificate is to secure connections via the internet. The public key is used to authenticate the server, so that you are really visiting the authentic site you are expecting and that you are not fooled by a hacker. Additionally it turns an unencrypted http site into an encrypted https site. This means that the traffic between a client e.g. an internet browser and the server which is hosting the site you are visiting is encrypted and no one can see what you are doing on that website. Keep in mind that the domain you are visiting is still visible to an eavesdropper. In this specific case this means the site you are visiting is indeed operated by the person, me, owning the domain simonhaas.eu. To load this site there was traffic over the public internet. Someone monitoring this would see that you are visiting simonhaas.eu but they could not see the specific post, the content or any data you would fill into a form if there were any.
Different kinds of TLS certificates
A certificate authority signs the public key. You do not sign anything in real life without checking the validity of the thing you should sign first, nor does a CA. There are three different levels of validation a CA can perform to be sure the person requesting a certificate is authorized to do so.
- Domain Validation - this is the weakest form of validation. Here the CA only checks if one has administrative access over a domain. The padlock in your browser is green.
- Organisation Validation - here the CA checks if the organisation requesting the signature really exists, e.g. through an official register. The padlock in your browser is geen followed by the organisations name.
- Extended Validation - here the CA visits and physically verifies the existance of the organisation. The padlock in your browser is green followed by the organistations name and their country code.
If you really trust a website depends on the kind of validation and the CA itself. If you do not trust a CA their signatures are basically worthless and you should’t trust them either.
How to get a TLS certificate for free
Most CAs take money for certificates which is totally legit because it is a service they perform for you. The CA Let’s Encrypt is different. The issue free certificates. Consequently the only perform the weakest form of validation, Domain Validation. That is why you should not trust your banks online banking if it is only secured by an Let’s Encrypt certificate. But if you only want to encrypt a simple blog where in the case the site got hacked there is no way you could lose all your money or that very personal information would be leaked it is just fine.
Different way for Domain Validation
To validate the domain Let’s Encrypt can use a few different methods, defined in the ACME protocol, called a challenge. The most common challenge is HTTP-01. Here you get a token from Let’s Encrypt and to prove your domain ownership you should place the token under a specific path on your website. The Let’s Encrypt Server now visits the specific path and looks for the token. If it is there the CA knows that you have control over the domain and gives you a certificate. If you want to run a home server in your LAN which is not connected to the internet this can not be done. You can still get a certificate via the DNS-01 challenge. Here you get a token from Let’s Encrypt and you must create a TXT record for your your domain containing the token. Let’s Encrypt’s server checks if the TXT record with the given token exists and gives you a certificate if so.
Actual steps to get a TLS certificate
You can run the following command from any computer. It does not have to be the server hosting your site. But in the end the certificate has to be on the server.
Prerequisits
You have to have your own domain. You can get one from https://www.namecheap.com.
1. Install certbot
Certbot is a command line tool to interact with Let’s Encrypt.
1
2
sudo apt update
sudo apt install certbot
2. Request the certificate
In the following command please change *.<your-domain> to your specific domain. The * means that you want a wildcard certificate which is valid for every subdomain. If you first want to test the process use Let’s Encrypt staging server https://acme-staging-v02.api.letsencrypt.org/directory You can only make a limited number of requests in a specific timeperiod to the production server before being blocked. Do not press Enter when promted yet. Also keep in mind that your IP address will be publicly logged.
1
sudo certbot certonly --manual --manual-public-ip-logging-ok --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory -d "*.<your-domain>"
The output will look something like the following.
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for *.<your-domain>
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.<your-domain> with the following value:
HlArNfLZsJ5x224B9ATJ7eTCIP82LbFAydte4z4VDFw
Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue3. Create the TXT record
Go to your DNS-provider e.g. namecheap and add a new TXT record. The name has to be _acme-challenge and as value use the token displayed in your output, in this example HlArNfLZsJ5x224B9ATJ7eTCIP82LbFAydte4z4VDFw.
Because of the distributed DNS architecture it takes up to 24 hours until every DNS server gets updated. Waiting onyl one to two hours has always worded for me. If you want to be sure you can use a service like https://www.nslookuptool.com to check if the TXT record is already videly spread. If you press Enter and Let’s Encrypt can not verify your TXT record you have to run the command again, get a new token and wait for a few hours again.
If everything worked fine you now have a TLS certificate signed by Let’s Encrypt which can be use to secure your websites.