The end of the Summer, the old iMac on the balcony enjoying a beautiful morning. Terminal windows open to the VPS where I have some sites running, including floris.computer. Okay, Chrome announced they’re going to start telling you soon when you’re not on a https site. And EFF seems to be pretty stable with their Let’s Encrypt tool. Finally, time to take the first steps towards https only domains.
tl;dr Updating the VPS/Apache with Let’s Encrypt to move my virtual hosts from http to https. This is not a how-to blog post, just sharing my experience. But I will include links so you can get started as well.
Before I continue, I have to admit that from the few sites on this VPS, only one is public. The others are under development at the moment (#soon) and behind closed doors. I have some wiggle room when it comes to things going wrong. Reverting back and having potential downtime isn’t going to cost me. Also, I feel I have to admit that I take no user-input at this point, making sure that any software I run fully supports https isn’t an issue for me right now either. Hence why this is ‘the first step’.
Why do this all of this, why not just leave it at http, rather than force https?
Besides that the world is progressing towards a more secure on-line browsing experience, the cost went from fairly affordable (to really expensive) to now really cheap. Really cheap, as in totally free. Let’s Encrypt is an initiative through EFF to help move the world to https a little faster. Encrypting the communication helps you as end-user a lot. And the best thing is, as someone browsing a site you don’t even really notice the difference between being on one or the other. The content on the page is the same. Anyway, if you however run your own web sites, consider a VPS or better. And consider something like I’ve done today.
What about mrfloris.com and your other sites?
They are more public, more in use, and I don’t like any downtime on them. However, they take no user-input either, and they’re on a shared host. At this time I don’t feel ready to make the switch yet. I also have a few things running behind closed doors that don’t work well yet with https forced urls, so I wish to address those issues first. But yes, after this first step, I build up some confidence and experience. And the plan is to eventually have all my domains (public, or private) forced to https.
Is this just you being paranoid, or…
Nope, Facebook, Google, Twitter, your bank, etc. They’re all on https already, and they should be. If you are on a website that’s not showing a green padlock in the location bar, doesn’t have a properly signed certificate that is valid, and for that domain. Please do contact them and ask them about their plans to move to https.
If you are talking about being paranoid. Consider this: If your online banking is not over https, and you’re on a public wifi point. Everybody nearby that can sniff the traffic will see your communication between you and the bank in easy to read plain text. That’s not how you wish to submit your bank details, make a transaction, provide your credit card security code, etc. But being paranoid, or rather, being cautious, is a discussion for a different site I am working on (yes, that’s a teaser if you’re reading this in 2016).
Okay, so what did you do, or maybe I should ask: “What do I do if I have a website?”
Sure. What I have done is make sure I have control over the DNS of the domain, control over the hosting account. Control over the certificates. Let’s break that down in a few steps. And explain that a little bit better.
Domain Registrar:
Instead of having your hosting provider own and manage the domain, make sure you’re the one that’s in control of it. This way you can point the DNS values like the IN A record, the NS (name server) details to the hosting provider (or quickly move to another one). Making you hosting provider independant. While not mandatory for Let’s Encrypt, it sure darn helps feeling more secure about being in control of that precious URL you paid for. I register my domains with namecheap.com, hover.com, and a few others. They include free whois protection (if needed), and access to the DNS. Do not have your domain with a reseller of namecheap, go to namecheap directly.
Hosting Provider:
Rather than having a shared hosting solution, see if you can have an affordable VPS solution. The VPS will give you access to the latest updates/upgrades of the operating system. And yes, while you’re the one that has to manage it. You don’t have to wait for the provider. More importantly. You will have root access (super user on the machine) to the account. Allowing you with so much more than just a regular user. For example, you can control your firewall, you can configure your web sites, virtual hosts, remove packages you aren’t using, improve performance. Install custom libraries for your projects, etc. But it is required by Let’s Encrypt to have access to your web server’s configuration files. Such as CLI (command line interface) access to your Apache’s .conf files. Like I said earlier, at the moment mrfloris.com is running on a managed shared hosting solution. And my project sites run separate on a small VPS. This meant I have shell access, and can use Let’s Encrypt.
Certificates:
Instead of self-signing and ending up with red or orange padlocks, poorly configured setups etc. Or paying for expensive domain-covering solutions, etc. I recommend to read up and consider Let’s Encrypt through the EFF site. It’s an automated script that does the hard work for you. And it’s free for download. It worked just fine with various nginx/apache, ubuntu/linux distributions. It really is a couple of commands, and properly documented.
Let’s share some URLs in case you want to get started right away. Thank you though for reading this far and hopefully feeling inspired to update your sites. Important note: Make a backup of them first, learn how it’s configured first, and find out how easy it is for you to roll back to todays working version if things go wrong.
Links:
Domain registrars:
namecheap.com
hover.com
Hosting Providers:
ramnode.com
digitalocean.com
and google for the rest, like leaseweb.com, theplanet.com, etc.
extra: Setting up Apache virtual hosts (http) article.
Let’s Encrypt:
letsencrypt.org
Okay, the next step is to make sure your VPS is up to date.
From the console you can type (on Ubuntu) apt-get update, followed by apt-get upgrade. This will at least make sure your setup is the latest, for the current version of your linux distribution.
I will assume you have properly setup your Apache virtual hosts. Including your domain pointing to the IP address properly. I will also assume you wish to automatically move your domains to https in one go. For me, on this setup, this was the easiest step. (I’ve included the link above to get you started on Apache’s virtual hosts).
The system should be ready now for Let’s Encrypt. Go to their site, click on Getting Started and then on cert-bot. Select your web server and operating system. Then get the bot, make it executable, and run the command ./certbot-auto, go through the menu, etc. And when everything goes well you end up with your sites automatically being https.
For more detailed step by step instructions, if you wish to do things manually, check out Erika’s article.
One issue I run into initially was that port 443 was blocked by my firewall. In ufw add an allow rule for 443/tcp and reload uwf. Try running ./certbot-auto again, and it should complete just fine this time.
The final step is to add the renew command to crontab. Erika’s article also includes instructions for this. You should really do this, you won’t want to force your users on http to use https, and then have them end up on an expired certificate page.
A final note. Check your website. Think it through. If you have PayPal buttons, are the urls set to go to http or https? Are you including remote resources like CDN (content distribution network) content such as images, or javascript files, maybe Google Fonts over http? Make sure they’re on https as well. And of course check your site as a guest, member, staff, etc. To find any issues. You can find most warnings in Chrome by clicking on the padlock icon, the developer tools will slide up with warnings in red in the console.
Oh by the way, during the running of that cert-bot, I’ve selected to include my www.* domains, as well as force http traffic to https with a rewrite rule.
It should work, and you can test it now: https://mrfloris.com should load https://mrfloris.com and the padlock should be there, in green.
Hopefully this blog post introduces you to https, and helps you get motivated to consider it for your domains. I understand this is a lot of text, and it might sound confusing. But having dealt with SSL in the past, and having paid good money for it. Going through Let’s Encrypt was fast, easy, and free. Worth the effort.
referral link disclaimer: yes.