Not so long ago you had to pay something for a SSL web server certificates, now there are providers who provide certificates for free and automated. I was surprised how easy it is ...

"Not secure".

Without SSL certificate, a warning appears that the page is "Not secure":

 "Connection is secure"

Initially to make the admin portal of my website a bit more secure, later to use https for all websites, I switched them to SSL. For the admin interface, I originally wanted to use a self-signed certificate, for cost reasons. A custom certificate authority was also a possible option. In order for the browser not to issue a certificate warning when using it, I would have had to import the certificate on all end devices. Especially with Android this is, as I had to learn, not an easy task. Looking for a public certificate I came across "StartSSL Free", which also worked for a few years, but the operation of StarSSL was discontinued on January 1, 2018 , today Letsencrypt is the benchmark for free certificates.

Let's Encrypt

The fully automated certificate authority Let's Encrypt was made possible by numerous well-known sponsors, including Mozilla, Cisco, Facebook, HP and several more. The special thing about Let's Encrypt is that the web server applies for, installs and regularly renews the certificate itself using an installed API. The website owner does not need any background knowledge to do this. I have been following the project since the beginning of 2015. At the end of 2015, I wanted to test Let's Encrypt on my web server. At that time, some manual work was still necessary for the configuration and for me the script did not work right away.

I started the next attempt in May 2016: lo and behold, now there is even a Plesk extension.

Update 2020: Alternatively, Lets Encrypt can also be used with Docker and nginx, see: nginx-LetsEncrypt Reverse Proxy in Practice.

September 2021 - ISRG Root X1.

I've read about this several times and currently received another email from Let's Encrypt with the information as well and summarized it here:

Let's Encrypt - Change in September 2021; Update2021: From September Letsencrypt has to use its own root certificate ISRG Root X1, old devices will get a certificate warning because of this, see: letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/.

Originally Let's Encrypt used an existing root certificate available in all devices for a faster start: DST Root CA X3. The certificate has an expiration date of 30.9.2021.

As an effect, old devices that have not been provided with updates for years and thus have not yet received the new Letsencrypt Root certificate ISRG Root X1 will receive a certificate warning. According to the Let's Encrypt site, the following known devices are affected:

• Blackberry < v10.3.3
• Android < v2.3.6
• Nintendo 3DS
• Windows XP prior to SP3
• cannot handle SHA-2 signed certificates
• Java 7 < 7u111
• Java 8 < 8u101
• Windows Live Mail (2012 mail client, not webmail)
• cannot handle certificates without a CRL
• PS3 game console
• PS4 game console with firmware < 5.00

In May 2021 this site has already received a certificate based on the new ISRG Root X1 CA:

Source: letsencrypt.org/docs/certificate-compatibility/

Plesk

To use Let's Encrypt with the help of Plesk I had to update Plesk to the latest version, after switching to extensions I was able to select and install Let's Encrypt:

In the installed extension, all domains installed on the web server are listed. When clicking on a domain, the certificate can be installed, automatically and without wasting a thought on the configuration:

Only the write permissions to the folder ".well-known" in the root folder of the respective website, caused problems with one or the other domain. The solution is quite simple:

Error: Let's Encrypt SSL certificate installation failed

Failed letsencrypt execution: filemng: Error occurred druing /bin/mkdir command. filemng: Error occured during /bin/rm command.

Command '['/usr/local/psa/admin/bin/filemng',u'user',mkdir','-p',u'/var/www/vhosts/domain/.well-known/acme-challenge']' returned non-zero exit status 1

After I created the folder ".well-known" with the file manager and assigned the appropriate write permissions, the installation worked:

Renew certificate

A look into Crontab shows a task which automatically renews the certificate every month. The validity of the certificate is 3 months. So there is nothing more to do from the webmaster's side. Provider details, see https://letsencrypt.org/

Conclusion

HTTPS security does not have to cost anything. Especially smaller companies or private websites benefit from the free certificates. Due to the simple integration of Let's Encrypt, a free certificate can even be installed easier, faster and less complicated than a paid one. Docker offers a universal and simple solution for this, see also: nginx-LetsEncrypt Reverse Proxy in practice.