Now with HTTPS
So, if you've been paying attention over the last few years, you'll have noticed more of the web going encrypted. This is a good thing. It keeps your data more secure and stops proxies and malicious wifi providers eavesdropping or injecting ads into your content.
Of course for those who don't have money to burn on expensive certificates there was always a blocker to going https. The cost. Even cheaper certificates to secure your site cost about three times as much as the domain name. Plus the notoriously headachey setup steps for getting a secure certificate working on your site
All that changed last year, when Let's Encrypt announced their service. Free certificates and a simple client you could use to set them up. Pretty much the ideal solution if they could pull it off, and with board members from the likes of Cisco, E.F.F. and Mozilla. It's been in beta since the summer and at the start of December they went public beta.
So I decided to give it a whirl. I've always left SSL config to somebody else before, so this should be "fun".
Getting started permalink
First off you need ssh/console access to your server and the ability to install software. I have a Centos server at Digital Ocean (who I recommend by the way) and can go in and switch to root to install stuff.
The instructions on the Let's Encrypt docs are pretty thorough. You'll probably need to install some dependencies with yum (or apt-get or whatever). You might need to do:
sudo yum install gcc libffi-devel python-devel openssl-devel
Though running ./letsencrypt-auto as root should sort these for you, but I found that my servers memory and CPU were a little low for some of the compiling steps, particularly the python cryptography package used. So I waited for a lull time before installing that manually with:
pip install cryptography
Also, my system had an older python install that grumbled about a few things and requires using the --debug flag to run the client.
Installing the certs permalink
Although Let's encrypt supports sorting the server setup for some platforms and web servers, my combo of Centos and nginx wasn't, so I needed to just create a cert int he client and manually install. I needed my web root directory and domain, the command looked like this:
./letsencrypt-auto certonly --webroot -w <webroot> -d <example.com> --debug
This popped up a query for some info (email and so on), then quickly sorted the certs and told me where it put them. Simple.
Setting up nginx was a case of adding an appropriate virtual server and pointing it at the cert/key combo:
server {
listen 443;
server\_name <domain>;
ssl on;
ssl\_certificate /etc/letsencrypt/live/<domain>/fullchain.pem;
ssl\_certificate\_key /etc/letsencrypt/live/<domain>/privkey.pem;
}
This required a restart of nginx. Went to https:/
Post install massaging permalink
So you've got your secure cert. What next? Well I decided to check the connection against the tool provided by Qualsys to be sure it was secure enough and up to scratch.
Oh dear, only grade C. Seems there's some more work to do post install.
Fortunately the report gives some advice on what to fix. For me it was out of date protocols/ciphers still be available and an older form of
I set the protocols in nginx config with:
ssl\_protocols TLSv1 TLSv1.1 TLSv1.2;
then the ciphers with:
ssl\_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
ssl\_prefer\_server\_ciphers on;
That last bit came from the detail over here, which also recommended setting up a "strong DH group" by running:
openssl dhparam -out dhparams.pem 2048
and then pointing my server at the file with an update to nginx config:
ssl\_dhparam /etc/nginx/dhparams.pem;
All that done and my server goes from C rating to A, and avoids lots of known exploits of older SSL technologies. After checking it all worked, I set up a http to https redirect in the old http server config:
if ($scheme = http) {
return 301 https://$server\_name$request\_uri;
}
And that's it. If you can view this page, you can see it's working... You can see it right?