Automating deployment of Let's Encrypt certificates.

Jan 06 2018

A couple of weeks back, somebody I know asked me how I went about deploying SSL certificates from the Let's Encrypt project across all of my stuff.  Without going into too much detail about what SSL and TLS are (but here's a good introduction to them), the Let's Encrypt project will issue SSL certificates to anyone who wants one, provided that they can prove somehow that they control what they're cutting a certificate for.  You can't use Let's Encrypt to generate a certificate for because they'd try to communicate with the server (there isn't any such thing but bear with me) to verify the request, not be able to, and error out.  The actual process is complex and kind of involved (it's crypto so this isn't surprising) but the nice thing is that there are a couple of software packages out there that automate practically everything so all you have to do is run a handful of commands (which you can then copy into a shell script to automate the process) and then turn it into a cron job.  The software I use on my systems is called Acme Tiny, and here's what I did to set everything up...

An interesting discovery about Dreamhost.

Dec 05 2017

As you may or may not be aware, I've been a customer of Dreamhost for many years now (if you want to give them a try, here's my referral link).  Both professionally and personally, I've been hosting stuff with them without many complaints (their grousing about my websites being too large is entirely reasonable given that I'm on their shared hosting plan).  Something always got me about their SSL support, though, was that you had to buy a unique IP address from them if you wanted to use it.  That cost a pretty penny, almost as much as I pay every year for hosting service.  After all, there's the SNI protocol which essentially lets you put SSL on multiple websites hosted at the same IP address.  It's been around since 2006 and has been supported by Apache since v2.2.12 so there wasn't any real reason to not offer it.  On the other hand, though, IPv4 addresses are getting pretty thin on the ground so paying for the privilege so I could have SSL on my website was worth it.  Plus, Dreamhost has to sell services to stay in business, and sometimes that means paying for perks as much as you or I might be annoyed by it.

A couple of years ago Dreamhost started offering free SSL certificates through their partnership with the Let's Encrypt project if you were a customer.  The idea is that you could click a couple of buttons in their control panel and they'd hook you up with an automatically renewing SSL cert for your website.  So, of course I jumped at the opportunity because I got tired of the self-signed certificate errors everybody was getting.  Comes with the territory.

Last weekend, for whatever reason I got it in my head to e-mail customer support and ask them if I had to keep paying for a unique IP address if I was using a Let's Encrypt certificate on my website.  I use acme-tiny to maintain the certs on my servers (I should write up how I do that one of these days), so... I figured the worst they could do was say "No."

As it turns out, if you use Let's Encrypt on Dreamhost, you do not have to keep paying for a unique IP address.  It's safe to go into your control panel, click that tiny little 'x' button, and save yourself some money every year.  I did so earlier today (about a week ago, as you'll reckon it) and everything seems copacetic.  This also means it's safe to turn on SSL for every site you have there, and it won't cost you any more money.  Though it would be good to donate to the Let's Encrypt project to support their work.