Maybe not. Let's try and change this:
The certificateThese days you can get a 90 day certificate for free from Let’s Encrypt, which is news to me and the reason I thought I’d give this a go.
Main stumbling block removed.
Apache config for SSLOk, I can write this config myself. However Let’s Encrypt has a magic tool which claims to do everything for me. Let’s find out.
githttps://github.com/letsencrypt/letsencrypt letsencrypt ./letsencrypt-auto --help
- It downloaded a python environment for me.
- It did a thing with root privileges courtesy of sudo. Probably shouldn't have used a window in which I’d previously sudo'd something. Oops.
Also, I'm guessing with
letsencrypt-auto. It seems to pass flags to the
letsencryptscript which is buried somewhere. Turns out I am right. Great.
I have to agree with the T&Cs to register with the ACME server. Aside from the obvious, ACME seem to mean Advisory Committee on Mathematics Education which I don’t think is relevant here so clearly I am getting a cert from the same people who supply anvils to Wile E. Coyote.
Seems legit. Let’s do this.
Still not finding my domain. Is it … confused by the number of domains? Nope, it doesn’t like files containing multiple vhosts. Oh. Reconfiguration time.
Ok, updated. Now time to fire this baby up. The original command now finds all the domains. Go! What could go wrong?
Minor problem - apparently I'm loading my fonts over an insecure connection.
For those of you not up to speed with the arcane art of reading browser URL bars, the shield is gone which means the browser isn't blocking assets trying to load into a secure page over an insecure connection.
These certs expire in 90 days so time for a simple cron.
Docs recommend checking daily, so that should keep things up to date. And potentially fill the filesystem. Meh.
* * * /letsencrypt/letsencrypt-auto renew >> /letsencrypt/logs/renew.log >&
So, my site is available over a secure connection. Hurrah! The “ensure all connections” setting seems to have set up a basic redirect, which is good although I'm going to have add the HSTS headers myself and hope that doesn't get toasted when I next run one of these scripts. Renew seems to behave though.
HSTSHSTS removes a vulnerable step when redirecting from an insecure to a secure connection. Details on the magic can be seen on the OWASP site.
The important bit of Apache magic is:
Which is stuck into the https vhosts and requires mod_headers enabled.
Testing this was a world of fun. I'd recommend disabling the cache (in the dev tools), using a plugin to inspect the headers (I like Live HTTP Headers) and making liberal use of this secret page to check the status of the HSTS settings. This is all in Chrome.
Tidying upIt seems only the automagic script doesn't like my old Apache config. Now it’s all set up I can put everything back in the same file.
So now I am handling four different connections in the same file:
HKPKYeah, that can wait.
Overall though, this was not the trial I expected. Getting a cert is now really easy. The only parts that required any real thought were figuring out how to arrange my Apache config and checking the HSTS headers were being set correctly.
No excuses any more! Best do the others.