The advent of Let’s Encrypt means that there is no real excuse to not have SSL/TLS encryption enabled on your website. Now I do on my Ghost properties As someone who has long run his own websites, first with managed hosting, and now with VPS instantiations, I have wanted to take the SSL/TLS plunge. But, as a hobbyist, the cost to go HTTPS has just been a burden that I couldn’t justify. Sure, I can handle a half dozen VPS’s on Digital Ocean, as the bandwidth is modest, and I have yet to make a big splash (hit wise), it is truly a hobby. Registering a certificate with a top tier authority, for a simple website, was $120+ per year. So I lived with the unencrypted http protocol.
That has changed. With the advent of Let’s Encrypt, there really is a viable, free (as in beer) way to encrypt your web traffic to and from your server. For my two domains that are currently running Ghost blogs, there happens to be a handy tutorial, again over at Digital Ocean that pretty much walks you through it step by step. (Yes, there is also a tutorial for WordPress running on Apache2)
I did this first on this domain, paranoidprogrammers, as it is my “test bed,” meaning that if I fuck it up, I won’t cry a river, I will just restore from a backup and move on.
Of course, I did it half assed (more on that later), but it worked reasonably well, and I learnt a couple of important lessons.
- If you want a “clean” https connection (i.e. you get the “green” prefix in Google Chrome) you need to make sure that all the elements that are rendered are pulled from their sources via https://. As I host all my images/header images via Cloudinary, that meant that I needed to painstakingly go through every post, every header image link and change them to https:// from http:// Ugh.
- If you screw up the creation of the original certificate (I requested a certificate only for the tld, not the tld + www.tld) you will get a really annoying error for some browsers that care. As in the www.paranoidprogrammers.com will be protected, but as the certificate will not say www.paranoidprogrammers.com, it throws a warning. I did fix this, but it was a bit painful.
- Don’t forget to restart nginx when you update your certificates. After I re-created and added the www.paranoidprogrammers.com to the certificates, it frustrated me that I still got that error on the www.paranoidprogrammers.com (and since Apple’s Safari browser seems to only want to use the www prefix, it was maddening). Of course a simple “service nginx restart” fixed that, after about 10 minutes of beating myself up.
- If you have cloudflare as your CDN/DNS you are gonna have a bad time. Yes, it will setup and appear to work. But when you are done, you will get into a redirect loop, and eventually your browser tosses in the towel. Turns out that the redirection of Cloudlflare prevents the verification and passing of the certs (which seems obvious in retrospect), and thus you will not ever be able to reach your server. Turn it off, and re-create the certificates, and all is well (yes, the tutorial warned me of this eventuality). I guess I will live without Cloudflare protection on this domain for now.
For my other domain, where there was a lot of image links throughout the site, posts, pages, and elements in the template, it took me a good 8 hours to find and fix them. There being one that really took a LOT to find. Fortunately Google’s Chrome has an excellent tool to identify elements that aren’t served via https:. That little “info” icon to the left of the address was a lifesaver.
The revelations of Edward Snowden raised the issue with using unencrypted http protocols for browsing. The advent of Let’s Encrypt has brought the ability to safely, securely, and easily to encrypt the traffic to and from your server/droplet/vps. There are no excuses to not take advantage of this, for if I can do it, so can you!