Parliament Hill Computers Ltd
Parliament Hill Computers Ltd
Irrespective of the technical reasons (below) — you just need to do it. Many of the browsers are hinting that non HTTPS sites as insecure; this will get worse, in July 2018 the Chrome browser marked non-HTTPS websites as insecure, this will put people off from visting your web site.
For SSL encryption to work the server and browser need a shared secret — the encryption key. As the two parties might not have been in touch before they need to exchange this secret over the public Internet. A way of doing this was worked out by Merkle, Hellman & Diffie.
This works well but has a big flaw: something sitting between the parties can speak to them pretending to be the other party; agreeing a different key and decrypting & re-encrypting the traffic on the fly, it is not hard to do this fast enough that neither party can detect that this is going on.
Such a machine is called a man in the middle. It is not very hard to do: the corporate Internet gateway could do it; governments have been doing this for many years.
A SSL certificate guards against the man in the middle by providing the browser with assurance that the encryption key that the server suggests really does belong to the server.
The way that this works is that the certificate is signed by a certificate authority (CA) and the browser has, hard wired into it, the signing keys of around 200 CAs (typically). These CA signing keys are shared secrets.
The Let's Encrypt certificate is not (yet) pre-known to most browsers, however its signing key is signed by IdenTrust — which most browsers do know about.
This certificate chain information is provided to the browser by the Apache web server.
Next page: How Let's Encrypt works
Return to How to Configure Let's Encrypt with acme_tiny.py
Return to tutorial home.
If you want any help using the above, or have any comments or suggestions, please contact us.