Let's Encrypt

Let's Encrypt has entered public beta on the 3rd, and you can get free SSL certificates from them. I got one for my domain https://guenthernoack.de, and that seems to be running smoothly now.

Just like Fefe, I found the default software for that to be somewhat cumbersome, a huge dependency bloat with Python virtualenv (which I'm not very familiar with), and then I got into a huge fight with package versions, messed everything up and after I had figured it out, my webserver software was too old to be supported (Debian, yo). So this took an evening.

In the end, I ended up using acme-tiny instead; this leaves more of the key generation to yourself, but on the upside makes very little risky assumptions about your web server software. In the end you want to configure that yourself anyway. The readme file on Github has a pretty good step-by-step introduction.

While I was at it, I also updated my SSL configuration. SSLLabs are now giving worse grades on your configuration if you're using well-known Diffie Hellman moduli. These can be generated with

openssl dhparam -o dhparams.pem 4096

or whatever order of magnitude you want for your modulus. The resulting pem files can be concatenated and go into your webserver's TLS (SSL) configuration section.