Let’s Encrypt Certificate with DNS verification with No-IP

If you want a free SSL (Secure Sockets Layer) certificate for your website then Let’s Encrypt is for you. An SSL certificate allows for secure and trusted communications via HTTPs (Secure HTTP) with your web server by providing a cryptographic key. The certificate binds together a domain name or hostname with an organizational identity (i.e. company) and location. Later versions of Google’s Chrome browser mark non-HTTPS sites as ‘not secure.’ Most websites are transitioning to using HTTPS only to indicate their sites are more secure and that communications between users and your website are not easily readable by others. Google also gives companies that use HTTPS a higher ranking in search results.

Let’s Encrypt background

Let’s Encrypt is a “free, automated, and open certificate authority (CA), run for the public’s benefit.” according to their website. Usually, when someone wants to get SSL Certificate to use HTTPS they have to pay for a certificate, and then pay for annual renewals. Let’s encrypt not only offers a free SSL certificate, but they also allow for free and automated renewals. The catch is that you have to renew every 90 days, but if you automate your renewal, this isn’t a problem. Let’s Encrypt has a shorter renewal period to lessen the chance that someone is misusing a compromised or mis-issued certificate. They also want to encourage automation for ease of use. Forgetting to renew expired certificates happens at even the large technology companies like Instagram and Google.

In most cases, the automation of renewing certificates is pretty straightforward. Companies and individuals can schedule jobs like certbot to renew certificates without any manual intervention.

Who would be interested in a Let’s Encrypt SSL certificate?

Most people use HTTPS to secure their website communications with customers, improve their search engine optimization (SEO), and indicate to gain the trust of their visitors. If users are logging into a site and/or transmitting confidential or sensitive data  (e.g. credit card, medical, and demographic information) the website should be using HTTPS. The types of customers and use cases for using Let’s Encrypt include:

• Companies that can’t afford other Certificate Authority prices or just want to save on costs.
• Run personal web servers for limited users that have communications they want to be secured.
• Are naturally curious about implementing HTTPS.

There are bells and whistles you can get with more traditional Certificate Authorities like Digicert or Comodo such as:

• Longer renewal periods
• Extended Validation (EV) certificates. This allows a company to have its name in place of the “Secure” text next to the green padlock for HTTPS sites in the browser address bar.

If you are not in need of longer renewal periods or an EV certificate, Let’s Encrypt might be for you.

Why I wanted an SSL certificate

I run a couple of personal websites that I have a few visitors for. They do have logins, and some of the information transmitted can be sensitive. For years I’ve been cheap and just used self-signed certificates. In technical terms, a self-signed certificate is one that is signed by the same entity who it identifies. Normally, a Certificate Authority authenticates the holder of a certificate is who they say they are. This is the equivalent of a trusted friend telling you a third party can be trusted. A self-signed certificate is the equivalent of someone saying you should trust them because they are telling you to. Self-signed certificates, in reality, cannot be trusted, and most web browsers will bring up a warning and force you to accept the risk of going to the site and will brand the site insecure.

I was getting tired of seeing the not secure marking next to my website, and Google Chrome always warning me of the dangers of going to my own site. I never wanted to pay for a certificate for this limited use, but it’s hard to pass up free.

Getting my SSL certificate from Let’s Encrypt

The steps

My particular circumstances made getting my free Let’s Encrypt certificate nontrivial. Let’s Encrypt offers two methods of validation in order to get a certificate:

1. Provisioning an HTTP resource under the domain for the desired certificate.
2. Provisioning a DNS record under the domain for the desired certificate. This is also the option you have to use if you want a wildcard (*.yourdomain.com) certificate.

I originally wanted to use the HTTP method as there are scripts that can do the verification. If like me, you are running Apache on Ubuntu you can use certbot to get your certificate by installing the certbot repository, installing the certbot python program, and then running certbot. The following commands normally will get the job done:

sudo add-apt-repository ppa:certbot/certbot

sudo apt install python-certbot-apache

sudo certbot --apache -d <yourdomain>

The last command will take you through an interactive session to get a certificate for <yourdomain>. You’ll be asked for your email address and then you will need to agree to their terms of service. Then comes the challenge where Let’s Encrypt needs to verify you have control over the <yourdomain>. This is where I ran into problems, and you might too. If you don’t run into problems here, it will go create and download the certificate. Then, it will give you the option of configuring apache automatically to use the certificate and force HTTPS.

The snag

My problem comes from Let’s Encrypt’s requirement that your web server is accessible via port 80 to run the automated HTTP challenge. My ISP blocks port 80 and I don’t run my website on that port. This means I have to use the second challenge method (DNS), which involves the following steps:

Run certbot in manual mode using the DNS challenge to get the certificate:

sudo certbot certonly --manual --preferred-challenges dns -d <yourdomain>

Then certbot will ask you to create a TXT DNS record under the CNAME _acme-challenge with the text the script specifies. You will need the help of the service running the DNS for your domain.

I use NoIP.com as the DNS manager for some of my domains. I tried to create the TXT record but their interface would not allow me to create one that started with an underscore. Now, hostnames can’t start with an underscore, but TXT and CNAME records should be able to. I contacted their technical support and they said they would have to do it manually. They got back to me after they created the record, which allowed me to finally get the certificate. Unfortunately, I still wasn’t able to see the record they created in the interface, so I can’t modify it. I’ll have to contact technical support every 90 days if I want to renew it. NoIP told me they were working on allowing users to create this type of record themselves.

UPDATE: No-IP now allows users to create DNS TXT records via the web interface. To add your TXT records, navigate to “My Services” and then “DNS Records” and click on “Modify” on your root domain. From there, click on the “TXT” button and under “Create Record” There will be two radio button options. Click on the second one and input “_acme-challenge”. In the larger field titled “Data”, you can add the value of the TXT record. 

After that, I added the locations of the certs to my apache SSL config file. My site now shows up as secure.

This procedure will also work for sites that are only accessible on a private LAN.

Final Thoughts

All in all, this was pretty simple. The biggest problem is that with NoIP I cannot automate the renewal of the certificate via DNS challenge and thus I am at risk of the certificate expiring. Many domain providers have a UI and/or API that allows you to create and modify the necessary TXT record and also allows you to automate the creation of the record.

Do any of you use Let’s Encrypt for your SSL certifications? Have you automated it? Do you use the DNS challenge? Is there something more about this topic you’d like to know? Connect with me on Twitter or in the comments and let me know!