Let's Encrypt Ubuntu
Let's Encrypt can be defined as a non-profit certificate authority executed by ISRG (Internet Security Research Group) that offers X.509 certificates for TLS (Transportation Security Encryption). It is the largest certificate in the world, used by 300+ million websites, with the aim of every website being secured and utilizing HTTPS. The ISRG, the service provider, is a public benefit organization. Bigger sponsors are Bill and Melinda Gates Foundation, NGINX, AWS, Internet Society, Google Chrome, Facebook, Cisco Systems, OVH, The Mozilla Foundation, and EFF (Electronic Frontier Foundation). Other partners are the Linux Foundation, the University of Michigan, and the certificate authority IdenTrust.
For the organization, the mission is to create a more privacy-respecting and secure World Wide Web by advertising the widespread acceptance of HTTPS. These certificates have 90 days validity, during which renewal can appear at any time. It is managed by an automated process developed to overcome manual renewal, installation, signing, validation, and creation of certificates for the website. Only two commands' execution is enough to configure HTTPS encryption and inherit and install the certificate on the Linux web servers.
To that end, an application package was contained in the official Ubuntu and Debian software repositories. The latest initiatives of browser developers like Google and Mozilla to deprecate HTTP (unencrypted) are counting on the presence of Let's Encrypt. The project is approved to have the potential to achieve encrypted connections for the whole web as the default case.
History of Let's Encrypt
The project was initiated in 2012 by two employees of Mozilla, Eric Rescorla and Josh Aas, with Peter Eckersley at the EFF and J. Alex Halderman at the U-M (University of Michigan). ISRG was integrated in May 2013, the company beyond Let's Encrypt. Publicly, Let's Encrypt was introduced on 18 November 2014.
The Linux Foundation and the ISRG announced their collaboration on 9 April 2015. The intermediate and root certificates were produced at the start of June. The final launch agenda for the service was declared on 16 June 2015, with the first certificate supposed to be issued any time in the week of 27 July 2015, followed by an issuance time to test scalability and security. The service's general availability was originally programmed to start any time in the week of 14 September 2015.
Technologies in OpenGL
Chain of trust
ISRG Root X1 (RSA)
Let's Encrypt revealed the generation of the initial RSA root certificate, i.e., ISRG Root X1, in June 2015. The root certificate was utilized for signing two intermediate certificates, which are cross-signed via the IdenTrust certificate authority as well. One of these intermediate certificates is used for signing authorized certificates, while another is offline as the backup in case of issues with the initial intermediate certificate. Normally, the Let's Encrypt certificate can be accepted and validated by relying on parties before browser vendors, such as the ISRG root certificate as the trust anchor due to the IdenTrust certificate was highly trusted by other web browsers.
ISRG Root X2 (ECDSA)
In 2015, the developers of Let's Encrypt planned to produce an ECDSA root key but then pulled back this plan to early 2016, then to 2019, and finally to 2020. Let's Encrypt announced 6 new certificates on 3 September 2020: one new "ISRG Root X2" ECDSA root, one cross-sign, and four intermediates. The new ISRG Root X2 was cross-signed by ISRG Root X1, i.e., the own root certificate of Let's Encrypt.
Let's Encrypt didn't issue any OCSP responder for the fresh intermediate certificates and rather plans to solely rely on CRLs (certificate revocation lists) for recalling compromised certificates and abbreviated validity time to decrease certificate compromise danger.
A challenge-responsible protocol is utilized for automating registering with the certificate authority is known as ACME (Automated Certificate Management Environment). It can query either DNS servers or Web servers managed by the domain hidden by the certificate to be granted. Control of the user over the domain is guaranteed based on whether the final responses meet the expectations. The client software of ACME can configure an embedded TLS server that is queried by the certificate authority server of ACME using requests with Server Name Indication, or it can utilize hooks to release responses to available DNS and Web servers.
The validation processes are executed one or more times over isolated network paths. Inspecting DNS entries is supported, which is geographically done from multiple diverse locations to enable DNS spoofing attacks complicated to do.
The interactions of ACME are based on swapping JSON documents on HTTPS connections. The draft specification is present on GitHub, and a release has been submitted to the IETF (Internet Engineering Task Force) as a proposal for the Internet standard.
Let's Encrypt operated its own ACME protocol draft. They forced for standardization at the same time. It caused a "proposed standard" in May 2019. It announced breaking modifications, and as such, it has been titled ACMEv2. Let's Encrypt operated the new release and began forcing available clients into the upgrades.
Since 8 November 2019, ACMEv1 is not accepting the registrations of any new account. ACMEv1 is also not accepting fresh domain validations since June 2020. ACMEv1 underwent 24-hours brownouts from January 2021. The API of ACMEv1 was completely turned off on 1 June 2021.
Principles of Let's Encrypt
The main principles of Let's Encrypt are: