How to setup FREE HTTPS for your website -- including a free CA certificate

**GET YOUR SETTINGS REVIEWED BY AN EXPERT BEFORE YOU GO LIVE**


You will find a lot of information in bits and pieces all over the Internet, too much technical jargon peppered all over. If you do not know how https works, do not worry. It is not hard to setup https. Lets say the https setup encrypts stuff between browser and the website and move on to set up https for your website. The keys are a couple of files needed to encrypt your website and these keys need to be signed by CA or the certificate authority in order for browsers to recognise that traffic is properly encrypted. I will use nginx web server and centos7 operating system to show how https can be setup. If you use a different webserver like apache or os like ubuntu look up corresponding instructions elsewhere. So here go the steps:

1. Get a free CA signed certificate
2. Update your web server to use the certificates and enable https
3. Setup certificate renewal and optimize and secure your https website

1. Get a free CA signed certificate
Yes! you can get free CA certificate which is valid for 90 days and setup auto renewal. You can get the certificate here or even better use a tool to validate your domain and copy keys to your host.

So you can use this which generates the letsencrypt key for you https://www.sslforfree.com/ or you can use:
sudo yum install certbot
certbot certonly --webroot -w /usr/share/nginx/html -d example.com -d www.example.com

where /usr/share/nginx/html is the folder where your website sits. If your website is in a different folder change all occurrence of /usr/share/nginx/html with the correct folder path. example.com id your website name.
You may endup with a host validation error. This could be because your server isnt setup to allow access to some folders that certbot requires. Add the following to /etc/nginx/nginx.conf file after (below) existing "location / {}"

location ^~ /.well-known/acme-challenge/ {
     default_type "text/plain";
     root /usr/share/nginx/html;
}

You may have to create /usr/share/nginx/html/.well-known/acme-challenge
Then do the following to load new settings and rerun certbot command above (with your changes). 
nginx -s reload 

The output will be bunch of files:
[root@li851-111 nginx]# ls /etc/letsencrypt/live/example.com
cert.pem  chain.pem  fullchain.pem  privkey.pem 
Now you have the CA certified files. 

2. Update your web server to use the certificates and enable HTTPS
Now that you have the certificates, you can start enabling https for your website. Uncomment the TLS section of the /etc/nginx/nginx.conf after the line: # Settings for a TLS enabled server.

The setting looks something similar to below: you should add your key path to ssl_certificate and ssl_certificate_key

# Settings for a TLS enabled server.
    server {
        listen       443 ssl http2 default_server;
        listen       [::]:443 ssl http2 default_server;
        server_name  _;
        root         /usr/share/nginx/html;
           ssl on;         
ssl_certificate "/etc/letsencrypt/live/example.com/cert.pem";
        ssl_certificate_key "/etc/letsencrypt/live/example.com/privkey.pem";
        ssl_session_cache shared:SSL:20m;
        ssl_session_timeout  120m;
        ssl_ciphers HIGH:!aNULL:!MD5;
        ssl_prefer_server_ciphers on;
        # Load configuration files for the default server block.
        include /etc/nginx/default.d/*.conf;
        location / {
        }
        error_page 404 /404.html;
            location = /40x.html {
        }
        error_page 500 502 503 504 /50x.html;
            location = /50x.html {
        }
    }

Then reload the web server: nginx -s reload

3. Setup certificate renewal and optimize and secure your https website
The certbot tool can request a renewal. So all we need to do is to setup a cron job to request renewal every 3 months (90 days) as letsencrypt certificates expire after 90 days.  You can replace 13 in below command by current date -1 so the renew happens on 89th day. 
certbot 0 0 13 * * certbot renew --quiet renew
Now follow the steps here to either optimize redirect http to https or disable it: https://bjornjohansen.no/redirect-to-https-with-nginx and https://bjornjohansen.no/optimizing-https-nginx
Now try https://example.com

References:
  1. https://certbot.eff.org/#centosrhel7-nginx
  2. https://community.letsencrypt.org/t/how-to-nginx-configuration-to-enable-acme-challenge-support-on-all-http-virtual-hosts/5622
  3. https://www.nginx.com/blog/nginx-https-101-ssl-basics-getting-started/
  4. https://www.digicert.com/ssl-certificate-installation-nginx.htm
  5. https://bjornjohansen.no/optimizing-https-nginx
  6. https://letsencrypt.org/

Comments

Post a Comment

Popular posts from this blog

How To Manage Contacts in Outlook

Sun's ceo calls it Lookout! But many use it including me. Managing contacts in Outlook is tricky. Here are few things I do when I move. By default all email ids are recorded in a file called Outlook.NK2 which is, by generocity of Microsoft, hidden. These are used to auto fill when we type an emil id. These are not stored in the address book. Its default location is: C:\Documents and Settings\ \ Application Data \Microsoft\Outlook\Outlook.NK2 is your user login id on the computer. Application Data is a folder that is hidden from view. Go to Tools->View and select Show Hidden files. When I move, I copy/backup this file. When I setup outlook on new machine, I zimbly copy the backup file to the default location in the new machine. Address book is a sacred thing. Mine is mostly empty! To manage autofill email address we can use a freeware availale online. It is called NK2View (Download).
Read more

Pageant for Mac - Using Jump Server on Mac

Image
If you use putty on windows, you probably used pageant to store multiple keys, ssh to jump server and then ssh to your work machine. If you ended up on Mac for some reason and you have a production situation, there is no reason to panic. Mac systems have Keychain - a software that manages your keys including ssh keys. There are 3 steps to use it for jumping . 1. Add your ssh keys to Keychain. 2. Create an ssh  config file to access jump terminal 3. Agent forwarding 1. Adding keys If you had ppk/putty keys you need to convert them. If you have ssh keys then you can add them without converting. I had puttygen on my mac. If you were using Windows machine, you can convert ppk keys to ssh key on Windows and then add on Mac. I had two keys - if you have only one that is fine. puttygen user_rsa.ppk -O private-openssh -o user_rsa.key puttygen jump.ppk -O private-openssh -o jump.key If a window pops up then DO NOT hit generate key.  1. Load your private ke
Read more

Using Regular Expressions for Program Transformation

I have been investigating the problem of practical code transformation to deal with small changes that have to be made across a large collection of programs in different programming languages . So the problem is not to transform a program entirely but doing small transformations to a large set of programs that too when we have C, Perl, Java etc source programs in that set. This has practical application in software development, code refactoring and testing. A lot of cost savings in software testing is possible if test the suits are well maintained and are automagically transformed using some method. I used a method and published findings on ip.com  which is rather a full system explanation of what I described here in 2011  There are some interesting obstacles to transforming programs. I will try to explain as well as understand some of them through this post. When we want to transform a set of programs in different languages what we are dealing with is a bunch of Context Free
Read more