Free SSL Certificates

I always wished there would be a simple possibility to have a cheap SSL certificate. Usually you have to pay several dozen of euros for a single domain certificate per year. This is a huge restriction for me. I want to experiment with some web apps that I usually deploy on a separate subdomain. Almost every such a web app requires some kind of authentication. These data would be sent over the wire in the worst case unencrypted. To solve this, I created a self signed certificate for each of these app subdomain. It wasn't a big issue for me. I either added such certificates into the approved chrome storage or just clicked "process to the site". But when I was so far to publish the app to even a rather small circle of people, it became a bigger issue. Not all were so familiar with SSL certificates at all. This meant I either had to explain everyone how to deal with the "insecure site" or to turn off SSL for the subdomain. Nor of them were good.

Luckily, Let's Encrypt went public beta last December. Let's Encrypt allows you to get an absolutely free SSL certificate for any domain you own. You need to install a helper program on your server that will care for the obtaining the SSL certificate. It will also renew the certificate when it's going to expire. There are several tutorials how to install the utility for different web servers. Here is a tutorial for nginx.

So far so good. But as you might have noticed, these tutorials are not very short. You have to configure some things and to care about the others. This is where the Caddy server shines. It supports Let's Encrypt natively. This means you don't need to explicitly configure encryption at all. All what you need is to agree on the Let's Encrypt's conditions and provide your email address if you want. That's it. The Caddy is awesome It will get SSL certificates for all sites in your configuration and save them in the ~/.caddy directory.

Additionally to the Let's Encrypt, Caddy supports HTTP/2, virtual hosts, TLS + SNI and has extremely easy configuration. Your Caddyfile might look like this:

subdomain.sam701.com {
  gzip
  ext .html
  log subdomainsam701.com.access.log
  root /home/alexei/site
}

If you have a web application running on the localhost, you can use a proxy:

http://your-domain.com, https://your-domain.com {
  proxy / http://127.0.0.1:20100 {
    proxy_header X-Real-IP {remote}
  }

  log your-domain.com.access.log
}

Note, that the HTTP and HTTPS are put explicitly. This prevents automatic redirect to HTTPS.

Technically it was already possible very long to get free SSL certificates. But practically it was not available because of different reasons, i.e. missing regulations and process, etc. I'm very glad that everyone currently can use SSL without any administrative effort. This is how it should be. You'll be right assuming that this site is served by Caddy. We are living in the future.