![\"letsencrypt\"](\"https:\/\/lowtek.ca\/roo\/wp-content\/uploads\/2016\/04\/letsencrypt.jpg\")
<\/p>\n<\/p>\n
SSL certificates are a great way to\u00a0ensure that the website you’re\u00a0connected to is really the one you think you’re connected to, and it also keeps the traffic between your client and the server secure. The HTTPS protocol<\/a> uses SSL certificates. The main problem with the SSL infrastructure was that you needed to get one that was signed by one of the central trusted authorities<\/a> – and generally if you wanted one of these you had to pay for one. There were a few places that would give you a free certificate for personal use<\/a>,\u00a0the other alternative was to use a self signed certificate<\/a> but there were usability issues because it isn’t signed by a trusted authority.<\/p>\n This all changed recently with Let’s Encrypt<\/a> – you can now get a free certificate with very little effort. If\u00a0you maintain a website or host an app, you should check letsencrypt.org<\/a> out. The remainder of this post is a cleaned up set of notes on what I did.<\/p>\n I started out here\u00a0https:\/\/letsencrypt.org\/getting-started\/<\/a> – which seemed to be a good starting point. Then I figured I’d make sure my server met the criteria they had for support, the documentation<\/a> had some details covering this. I was happy to see Ubuntu 12.04+ and Apache 2.x support, so this made me fairly confident my server was\u00a0supported.<\/p>\n But.. my Ubuntu\u00a0doesn’t seem to have a letsencrypt package<\/p>\n No problem, we’ll just follow\u00a0along with https:\/\/letsencrypt.org\/getting-started\/<\/a><\/p>\n The last command, while asking for help – will do some bootstrapping of let’s encrypt. So don’t skip it. The scripts include calls to\u00a0sudo, so you don’t have to be root to run them but it will ask for root access.<\/p>\n [Security note – it is always a little bit\u00a0scary running random scripts, always worth looking at them. There is a\u00a0growing trend of having “wget -O – \u00a0http:\/\/randomscript.com\u00a0| bash” be normal, but you should be afraid]<\/em><\/p>\n Some exciting updates to my server from doing just the bootstrap. My \/etc\/ca-certificates got updated (it was probably way overdue), it also dragged me up to date for libssl. It took a while to finish, but we finally got the help screen.<\/p>\n At this point, I have the let’s encrypt tools installed on my server, so time to try them out.<\/p>\n Hopefully the following command is going to register us and get a new certificate for my old expired one.<\/p>\n Well that didn’t work, it picked up some ‘other’ domains I host — but not my main lowtek.ca one. Weird, but probably due to my non-standard configuration of Apache due to years of\u00a0hacking it. It was easy to bail out so\u00a0no harm done.\u00a0Let’s try this then:<\/p>\n Ok – much better, email sign up and an agreement (which yes, I took the time to read – it was only 6 pages). \u00a0It seems as I don’t have a virtual host setup for lowtek.ca and needed to manually pick the apache config file (not a big deal), this was why the first try didn’t work.<\/p>\n Visiting https:\/\/lowtek.ca\/<\/a> shows no more certificate error (woot!) and all looks good. It was really this easy.<\/p>\n The end of the script even suggests you visit: https:\/\/www.ssllabs.com\/ssltest\/analyze.html?d=lowtek.ca<\/a> to check for issues. \u00a0These SSL Labs tests, show that my certificate from letsencrypt will expire in just under 3 months, so I’ll want to add a cron job to do a renew. They also gave me a B rating, with lots of gorpy details on why.<\/p>\n To renew, I just need to run this command from time to time<\/p>\n That’s really easy to do with cron – so I added an entry to my root user crontab to run this once a month.<\/p>\n","protected":false},"excerpt":{"rendered":" SSL certificates are a great way to\u00a0ensure that the website you’re\u00a0connected to is really the one you think you’re connected to, and it also keeps the traffic between your client and the server secure. The HTTPS protocol uses SSL certificates. The main problem with the SSL infrastructure was that you needed to get one that … Continue reading “SSL for everybody”<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6,12],"tags":[],"class_list":["post-1506","post","type-post","status-publish","format-standard","hentry","category-computing","category-how-to"],"_links":{"self":[{"href":"https:\/\/lowtek.ca\/roo\/wp-json\/wp\/v2\/posts\/1506","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lowtek.ca\/roo\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lowtek.ca\/roo\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lowtek.ca\/roo\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/lowtek.ca\/roo\/wp-json\/wp\/v2\/comments?post=1506"}],"version-history":[{"count":10,"href":"https:\/\/lowtek.ca\/roo\/wp-json\/wp\/v2\/posts\/1506\/revisions"}],"predecessor-version":[{"id":1518,"href":"https:\/\/lowtek.ca\/roo\/wp-json\/wp\/v2\/posts\/1506\/revisions\/1518"}],"wp:attachment":[{"href":"https:\/\/lowtek.ca\/roo\/wp-json\/wp\/v2\/media?parent=1506"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lowtek.ca\/roo\/wp-json\/wp\/v2\/categories?post=1506"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lowtek.ca\/roo\/wp-json\/wp\/v2\/tags?post=1506"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}$ sudo apt-get install letsencrypt\r\nReading package lists... Done\r\nBuilding dependency tree\r\nReading state information... Done\r\nE: Unable to locate package letsencrypt<\/pre>\n
$ git clone https:\/\/github.com\/letsencrypt\/letsencrypt\r\n$ cd letsencrypt\r\n$ .\/letsencrypt-auto --help<\/pre>\n
$ .\/letsencrypt-auto --apache<\/pre>\n
$ .\/letsencrypt-auto --apache --domains lowtek.ca<\/pre>\n
$ .\/letsencrypt-auto renew<\/pre>\n