post

Let’s Encrypt is a new Certificate Authority that it’s not only free, but also aims to make secure sites easy to implement with an automated process to generate, install and renew SSL certificates. This process uses a script that runs on your server, and makes a few assumptions about your settings to be able to finish. I started the process following this tutorial from Digital Ocean Community area.

I followed the instructions, I got the dialog to configure the certificate details and added all the information it was asking for, the certificate files were generated and saved where they were supposed to, and then I got a notification saying everything worked out.

IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/domain.com/fullchain.pem.

At this point, the tutorial says

You should now be able to access your website using a https prefix.

I’m sure for many websites this is enough, except my site wouldn’t work using the HTTPS prefix.

There’s more to it

There are a few things this tutorial doesn’t tell you. For example it doesn’t say that the script will try to modify the vhost file for the domain you’re creating the certificate for. And I say try because if there is more than one vhost file the script fails to pick the correct one. At least that’s what happened to me, as I have this file for the main site and a couple of other files for subdomains I use for testing.

After Googling for a while, I found a post explaining how to make the changes manually to the vhost file to atcually put the site under HTTPS once the certificate has been generated.

This is achieved by copying your domain’s vhost file to a new domain.com-ssl.conf file and making the following:

# Be sure to use your server's real IP address
<VirtualHost 0.0.0.0:80>
    ServerName domain.com
    ServerAlias www.domain.com
    DocumentRoot /home/user/domain.com/www
    <Directory /home/user/domain.com/www>
        Require all granted
        AllowOverride All
    </Directory>
    CustomLog /var/log/apache2/domain.com.log combined
</VirtualHost>

Look like this:

# Be sure to use your server's real IP address
<VirtualHost 0.0.0.0:443>
    ServerName domain.com
    ServerAlias www.domain.com
    DocumentRoot /home/user/domain.com/www
    <Directory /home/user/domain.com/www>
        Require all granted
        AllowOverride All
    </Directory>
    Include /etc/letsencrypt/options-ssl-apache.conf
    SSLCertificateFile /etc/letsencrypt/live/domain.com/cert.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/domain.com/privkey.pem
    SSLCertificateChainFile /etc/letsencrypt/live/domain.com/fullchain.pem
    CustomLog /var/log/apache2/domain.com.log combined
</VirtualHost>

And then activating the new configuration in Apache:

sudo a2ensite domain.com-ssl.conf
sudo service apache2 restart

Also…

The post doesn’t say anything about making changes in your application or website. I understand it can’t cover all systems and possibilities, but not mentioning anything at all can confusing for some users. In my case, I knew beforehand I had to change some settings on Statamic config files to generate links pointing to https, and I also had to add the following lines to my .htaccess file:

RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [L,NC,R=301]

Which redirects all requests made to the non secure site to its equivalent in the HTTPS version.

So, make sure you take into account that you may have to make similar changes in your site in order to get it to work properly under HTTPS.

Finally

It’s a good idea to read the whole post, comments and relevant information before attempting to make the changes, so you have a better view of what’s going to happen and ensure you can complete all the steps.

Now go secure your site.

Previous article

Comments

blog comments powered by Disqus