We are now booming away in full SSL glory!

The title says it all, we are now encrypting traffic in full SSL swing! Now, I know what you’re thinking, “that must have taken you forever!” However, it didn’t. I estimated around 15 minutes tops.

In the past, something like this would have taken me hours. You know what it’s like… making sure to configure everything correctly in preparation, generating keys, requesting the certificates (and the waiting game that comes with it), assigning it, then configuring it to actually use it, debugging why it went wrong, debugging why the application is in some stupid redirect loop, …, and then success; You have SSL! Well this time, things were a bit different (just a shame regular certificate authorities aren’t this quick)…

Let’s Encrypt w/ SSL!

Am I giving the game away already with the title? If you haven’t heard, there’s a way to get a certificate (for free!) easily, and does all the leg work getting things configured for you. I will warn you, it isn’t without perils – but a damn sight easier to deal with. This bundle of joy comes in the form of an open certificate organisation called Let’s Encrypt, part of the Linux Foundation’s Collaborative Projects.

How it works…

It’s simple, grab their tool (warning: some git knowledge helps), run it to install it’s dependencies, and then run it again to request a certificate; configure your server; and set everything up. The tool itself does all the magic. For those who prefer to do things manually you still can, just make sure to run the tool in certonly mode.

Caveats

There is one major caveat, the certificate you get only lasts for 3 months. Plus, you may run into a couple of hiccups depending on your setup (I will highlight my problems later). They do mitigate that by providing a means to renew the certificate using the same tool – which can be automated in a cron job (they provide you with the script too!). So, since it is free, is it really that big of a deal?

Problems

The problems I experienced was mainly after I ran the tool to configure everything. I wanted the site to run from www.hazrpg.co.uk, not hazrpg.co.uk – but the certificate I was given was for just hazrpg.co.uk. This was made worse because of the Virtual Host configuration I had would redirect users to the www subdomain. Meaning people visiting would be presented with a nasty nasty warning due to the certificate Common Name (CN) being incorrect!

I could have avoided this problem if I had made sure I was more exact in my configuration. The simple lesson is:

  • Make sure you specify exactly which domain you want to listen for with the ServerName parameter. In my case, this should have been www.hazrpg.co.uk not hazrpg.co.uk.
  • Set your ServerAlias correctly. So in my case, I had *.hazrpg.co.uk, but really I meant hazrpg.co.uk *.hazrpg.co.uk because I wanted to handle both of those.
  • Check all your other settings, to make sure you haven’t missed anything that you may need when you go to SSL.

If you take all of that into account, then you’ll be fine. Though, you can edit the files manually to correct the issue(s) – look in your apache2 (or nginx) configuration files, and any virtual host files too. When running the tool, also make sure there is an asterisk next to all the domains you want to gain a certificate for – Let’s Encrypt does allow multiple certificates. It will only outline sites that are enabled, so make sure you have configured everything you want to include first.

Conclusion

You can get a nice free certificate, hassle (ish) free. Just remember: be exact, check all your configurations, run directly on the server (although I do recommend testing in a staging server first). The guide available the getting started page is easy to follow, so I won’t go into details here. Remember to set a cron job for renewal, they do provide a script that you can use. Otherwise you will be sad in three months when it expires.

Avatar for Haz

Haz

I'm a Gamer; Programmer; Ubuntu enthusiast; and Art hobbyist (mainly pixelated);