Adding SSL to a website sure is easier than I remember. I’ve been vaguely aware of the fact that free SSL certificates were now available from Let’s Encrypt. I’ve been spending most of the day geeking out with AWS server stuff so I decided now would be a good time to see what exactly is involved, and I was absolutely stunned at how easy the process is!
I started with an Ubuntu Server running Apache; no SSL configured at all. I pointed my browser at https://certbot.eff.org/. It gives you a couple of big, friendly drop-down menus where you specify the web server software and OS you are using, and it redirects you to a page of step-by-step instructions.
If you are at all familiar with working at the command line, the process could not be much simpler. Following are the steps I took for Apache on Ubuntu Server, but I assume the process will vary depending on your environment.
On my server, I ran the command wget https://dl.eff.org/certbot-auto to get the software that bootstraps the process. Once it downloaded, I ran chmod a+x certbot-auto to make the file executable, and then ./certbot-auto to kick it off.
At this point, certbot used apt to download all the package dependencies. Since I had a simple, bare-bones Apache configuration, it gave me the following dialog in a text interface:
No names were found in your configuration files. You should specify ServerNames in your config files in order to allow for accurate installation of your certificate. If you do use the default vhost, you may specify the name manually. Would you like to continue?
Being the slacker that I am, I naturally opted for the path of least resistance, and answered affirmatively. Then it presented another dialog:
Please enter in your domain name(s) (comma and/or space separated)
Simple enough. I entered my domain and then:
Please enter email address (used for urgent notices and lost key recovery)
After entering my email address, it provided me with a dialog to agree with the TOS.
Please read the Terms of Service at https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf. You must agree in order to register with the ACME server at https://acme-v01.api.letsencrypt.org/directory
Who am I to argue? I agreed, and then got:
Please choose whether HTTPS access is required or optional.
Easy – Allow both HTTP and HTTPS access to these sites
Secure – Make all requests redirect to secure HTTPS access
Nice! It even gives you the option of configuring your server so that non-secure requests are redirected to https. Yes, please!
After a bit more churning:
Congratulations! You have successfully enabled https://ericasberry.com
You should test your configuration at: https://www.ssllabs.com/ssltest/analyze.html?d=ericasberry.com
That was it! Didn’t even have to restart apache (I presume it did that for me in the background). I went ahead and verified the configuration as suggested, and my site is now A-rated! That’s more than I can say for chase.com, which currently only rates a measly B grade. Take that, mega bank!
The only catch seems to be that the certificates are only good for 90 days. But it looks like all you have to do is set up a cron job to run “certbot-auto renew” every 3 months to take care of that. Since I just set it up, I haven’t tried that step, but I’ll try to remember to update this post when the time comes.