Let's Encrypt Ubuntu

Let's Encrypt can be defined as a non-profit certificate authority executed by ISRG (Internet Security Research Group) that offers X.509 certificates for TLS (Transportation Security Encryption). It is the largest certificate in the world, used by 300+ million websites, with the aim of every website being secured and utilizing HTTPS. The ISRG, the service provider, is a public benefit organization. Bigger sponsors are Bill and Melinda Gates Foundation, NGINX, AWS, Internet Society, Google Chrome, Facebook, Cisco Systems, OVH, The Mozilla Foundation, and EFF (Electronic Frontier Foundation). Other partners are the Linux Foundation, the University of Michigan, and the certificate authority IdenTrust.

For the organization, the mission is to create a more privacy-respecting and secure World Wide Web by advertising the widespread acceptance of HTTPS. These certificates have 90 days validity, during which renewal can appear at any time. It is managed by an automated process developed to overcome manual renewal, installation, signing, validation, and creation of certificates for the website. Only two commands' execution is enough to configure HTTPS encryption and inherit and install the certificate on the Linux web servers.

To that end, an application package was contained in the official Ubuntu and Debian software repositories. The latest initiatives of browser developers like Google and Mozilla to deprecate HTTP (unencrypted) are counting on the presence of Let's Encrypt. The project is approved to have the potential to achieve encrypted connections for the whole web as the default case.

• The service issues only domain-validated certificates since these certificates can be automated completely.
• Extended Validation and Organization Validation Certificates both need any registrant's human validation and are hence not provided by Let's Encrypt.
• Wildcard and ACME v2 certificates support was also added in March 2018.
• DV (Domain Validation) was used by Let's Encrypt back in 2002, and it was at initial controversial when announced by GeoTrust before it turned into a widely adopted technique for SSL certificate issuance.
• The organization hopes to protect its guard and trustworthiness against manipulation and attack attempts by being as clear as possible.
• It regularly releases transparency reports for that purpose, publicly logs every ACME transaction, and uses free and open standard software as much as possible.

History of Let's Encrypt

The project was initiated in 2012 by two employees of Mozilla, Eric Rescorla and Josh Aas, with Peter Eckersley at the EFF and J. Alex Halderman at the U-M (University of Michigan). ISRG was integrated in May 2013, the company beyond Let's Encrypt. Publicly, Let's Encrypt was introduced on 18 November 2014.
Officially, the ACME protocol was introduced to the IETF for regularity on 28 January 2015.

The Linux Foundation and the ISRG announced their collaboration on 9 April 2015. The intermediate and root certificates were produced at the start of June. The final launch agenda for the service was declared on 16 June 2015, with the first certificate supposed to be issued any time in the week of 27 July 2015, followed by an issuance time to test scalability and security. The service's general availability was originally programmed to start any time in the week of 14 September 2015.

• The launch agenda was amended to offer more time to ensure system stability and security on 7 August 2015, with the first certificate to be announced in the week of 7 September 2015, pursued by general availability in the week of 16 November 2015.
• Let's encrypt announced its first certificate on 14 September 2015, which was available for the letsencrypt.org domain.
• On a similar day, ISRG recommended its root program software to Apple, Google, Microsoft, and Mozilla.
• The intermediate certificates were cross-signed by IdenTrust on 19 October 2015, causing every certificate to be trusted by every major browser announced by Let's Encrypt.
• Let's Encrypt revealed that general availability would be pulled back on 12 November 2015, and the initial public beta would start on 3 December 2015.
• The public beta was executed from 3 December 2015 to 12 April 2016. It was announced on 12 April 2016.
• On 3 March 2020, Let's encrypt revealed that it would have to invalidate 3+ million certificates on 4 March because of a flaw in the Certificate Authority software.
• Let's Encrypt was capable of getting 1.7 million of the influenced certificates revived before the time limit by connecting to site operators and operating with software vendors.
• Ultimately, they decided not to dismiss the remaining influenced certificates because certificates were invalid in the next 90 days, and the security risk was very low. The event of mass revocation has importantly increased the rate of global revocation.
• Let's Encrypt was awarded the annual award of the Free Software Foundation for Social Benefit Projects.
• Let's Encrypt revealed having published a billion certificates on 27 February 2020.
• Let's Encrypt announced having published 234 million unexpired (active) certificates as of September 2022.

Technologies in OpenGL

Chain of trust

ISRG Root X1 (RSA)

Let's Encrypt revealed the generation of the initial RSA root certificate, i.e., ISRG Root X1, in June 2015. The root certificate was utilized for signing two intermediate certificates, which are cross-signed via the IdenTrust certificate authority as well. One of these intermediate certificates is used for signing authorized certificates, while another is offline as the backup in case of issues with the initial intermediate certificate. Normally, the Let's Encrypt certificate can be accepted and validated by relying on parties before browser vendors, such as the ISRG root certificate as the trust anchor due to the IdenTrust certificate was highly trusted by other web browsers.

ISRG Root X2 (ECDSA)

In 2015, the developers of Let's Encrypt planned to produce an ECDSA root key but then pulled back this plan to early 2016, then to 2019, and finally to 2020. Let's Encrypt announced 6 new certificates on 3 September 2020: one new "ISRG Root X2" ECDSA root, one cross-sign, and four intermediates. The new ISRG Root X2 was cross-signed by ISRG Root X1, i.e., the own root certificate of Let's Encrypt.

Let's Encrypt didn't issue any OCSP responder for the fresh intermediate certificates and rather plans to solely rely on CRLs (certificate revocation lists) for recalling compromised certificates and abbreviated validity time to decrease certificate compromise danger.

ACME protocol

A challenge-responsible protocol is utilized for automating registering with the certificate authority is known as ACME (Automated Certificate Management Environment). It can query either DNS servers or Web servers managed by the domain hidden by the certificate to be granted. Control of the user over the domain is guaranteed based on whether the final responses meet the expectations. The client software of ACME can configure an embedded TLS server that is queried by the certificate authority server of ACME using requests with Server Name Indication, or it can utilize hooks to release responses to available DNS and Web servers.

The validation processes are executed one or more times over isolated network paths. Inspecting DNS entries is supported, which is geographically done from multiple diverse locations to enable DNS spoofing attacks complicated to do.

The interactions of ACME are based on swapping JSON documents on HTTPS connections. The draft specification is present on GitHub, and a release has been submitted to the IETF (Internet Engineering Task Force) as a proposal for the Internet standard.

Let's Encrypt operated its own ACME protocol draft. They forced for standardization at the same time. It caused a "proposed standard" in May 2019. It announced breaking modifications, and as such, it has been titled ACMEv2. Let's Encrypt operated the new release and began forcing available clients into the upgrades.

Since 8 November 2019, ACMEv1 is not accepting the registrations of any new account. ACMEv1 is also not accepting fresh domain validations since June 2020. ACMEv1 underwent 24-hours brownouts from January 2021. The API of ACMEv1 was completely turned off on 1 June 2021.

Principles of Let's Encrypt

The main principles of Let's Encrypt are:

• Automatic: An application active on a web server can collaborate with Let's Encrypt to obtain a certificate painlessly, configure it to use securely, and take care of renewal automatically.
• Free: Anyone can utilize Let's Encrypt, who owns any domain name, to get a trusted certificate at no cost.
• Secure: Let's Encrypt will represent as a platform to advance best practices of TLS security, both on CA and by supporting site operators to protect their servers properly.
• Open: The renewal protocol and automatic issuance are released as an open standard that anyone else can adopt.
• Transparent: Every certificate revoked or issued will be recorded publicly and available for everyone to check.
• Cooperative: Let's Encrypt is a combined effort to profit the community behind the control of any individual organization, almost the same as the basic Internet protocols themselves.