We’ve all been there: buying self-signed certificates is a bit annoying, especially when it comes to wildcards. A new project has been around for a couple of months now, it’s called Let’s Encrypt.

It’s basically a bunch of scripts that will help you sign certificates for your Apache/Nginx vhosts… and for free, no less! The good news is that these certificates will be recognized by pretty much any browser. Farewell, security alerts! The bad news is: no wildcard support for now. Well… that’s not exactly bad news, since you can create as many certificates as you want, and SNI is rather widespread now.

Installing Let’s Encrypt

git clone https://github.com/letsencrypt/letsencrypt
cd letsencrypt
./letsencrypt-auto --help

Creating/signing a new certificate

cd letsencrypt
./letsencrypt-auto certonly --webroot -w /var/www/vhost_path/ -d FQDN

Configuring Apache

SSLCertificateFile /etc/letsencrypt/live/FQDN/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/FQDN/privkey.pem

Checking your certificates

Certificates signed with Let’s Encrypt will be valid for 3 months. All the more reason to crontab a script I whipped up for the occasion:

#!/bin/sh

rootpath="/etc/letsencrypt/live"
warning=604800 # 1 week

RETVAL=0
ISCRON=0

if [ ! -z "$1" ]; then
    if [ "$1" = "--cron" ]; then
        ISCRON=1
    fi
fi

for d in `ls ${rootpath}`; do
    certpath=${rootpath}/${d}/fullchain.pem
    expirydate=`openssl x509 -enddate -noout -in ${certpath} | sed 's/notAfter=//'`
    if openssl x509 -checkend ${warning} -noout -in ${certpath}; then
        if [ $ISCRON -eq 0 ]; then
            echo "${d} OK"
        fi
    else
        echo "${d} WILL EXPIRE ON ${expirydate}"
        RETVAL=1
    fi
done

exit $RETVAL

The crontab entry will need to look something like this:

MAILTO=admin@yourdomain.com
0 0 * * * /path/check_certs.sh --cron