Google recently updated their Chrome browser to mark all non-https websites as unsecure. In addition to that, they started to rank all https enabled websites favorably.
It is a no brainer for all developers to upgrade their websites/web apps to https asap, not only is it more secure, it will deliver trust to your visitors when they enter private information on your website.
Now you may be thinking, this is going to be hard and expensive to add SSL, after all, it involves changing your server configuration and you could easily mess it up! The fact is, it’s the total opposite, the process can be done in less than 10 minutes via the help of a FREE SSL provider called Let’s Encrypt. Taken from their about page:
Let’s Encrypt is a free, automated, and open certificate authority (CA), run for the public’s benefit. It is a service provided by the Internet Security Research Group (ISRG).
We give people the digital certificates they need in order to enable HTTPS (SSL/TLS) for websites, for free, in the most user-friendly way we can. We do this because we want to create a more secure and privacy-respecting Web.
The key principles behind Let’s Encrypt are:
- Free: Anyone who owns a domain name can use Let’s Encrypt to obtain a trusted certificate at zero cost.
- Automatic: Software running on a web server can interact with Let’s Encrypt to painlessly obtain a certificate, securely configure it for use, and automatically take care of renewal.
- Secure: Let’s Encrypt will serve as a platform for advancing TLS security best practices, both on the CA side and by helping site operators properly secure their servers.
- Transparent: All certificates issued or revoked will be publicly recorded and available for anyone to inspect.
- Open: The automatic issuance and renewal protocol will be published as an open standard that others can adopt.
- Cooperative: Much like the underlying Internet protocols themselves, Let’s Encrypt is a joint effort to benefit the community, beyond the control of any one organization.
In this tutorial, I’m going to walk you through the process of setting up SSL to a domain name in as little as 10 minutes!
I’ll be using Certbot to help make this process extremely simple. The instructions here are applicable to Nginx on a Ubuntu 14.04 server, but you may get specific instructions for your system from Certbot.
Install Certbot Command Line Tool
We need to install Certbot command line tool first, be sure you have sudo access:
sudo apt-get update
sudo apt-get install software-properties-common
sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update
sudo apt-get install python-certbot-nginx
Once you have the command line tool set up, you’re ready to add some certs.
Now if you have a single nginx configuration for a single website on your server, you may use the following command to automatically install certification and update your nginx configuration at the same time:
sudo certbot --nginx
and if you want to only install certificates and edit your nginx configuration file manually, you can run:
sudo certbot --nginx certonly
For the sake of this tutorial, I’m going to pretend you have MULTIPLE nginx configurations for different sites set up on a single server.
Let’s say the name of the website is website.com, then you would need to run the following command:
sudo letsencrypt certonly -a webroot --webroot-path=/usr/share/nginx/website.com/ -d website.com
assuming your web path is located on /usr/share/nginx/website.com
this will generate certificates for this domain from Letsencrypt.
Now that we have our certificates, we need to edit our nginx configuration for that site, open up your configuration file, in this case, it’s located at /etc/nginx/sites-available/website.com
server {
listen 80;
listen [::]:80;
server_name www.website.com *.website.com;
return 301 https://$host$request_uri;
root /usr/share/nginx/website.com;
}
server {
server_name website.com;
listen 443 ssl;
listen [::]:443 ssl;
root /usr/share/nginx/website.com;
index index.php index.html index.htm;
ssl_certificate /etc/letsencrypt/live/website.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/website.com/privkey.pem;
}
This configuration tells nginx to reroute all traffic from standard http to https, and have all ssl traffic (default to port 443) handled with certificates located on /etc/letsencrypt/live/website.com/fullchain.pem
and /etc/letsencrypt/live/website.com/privkey.pem
Make sure the configuration is correct by running the nginx -t command, and finally restart nginx with
service nginx restart
Head over to your website and refresh and TADA! https!
No Green Lock?
If you’re missing the green padlock icon on the browser address bar, that’s because some resources on your website are linking to http, this is crucial for the lock, you cannot have any resource (css, javascript, images, etc) linked with http, therefore you may need to edit your source code to ensure full compliance. A good tool I use to audit website for bad resources is WhyNoPadLock or you can use your browser debugger console to check a list of warnings.
Auto Renewal
The certification granted by Lets Encrypt will expire in a few months. In order to not disrupt your website’s service, you can set up a cron job to automatically renewal the cert:
sudo certbot renew --dry-run
You can also read more about the process here and here
Conclusion
I hope you find this tutorial useful, I am all for making the web fully https compliant. Without it, the web would be a very insecure place. If you can’t wait for this to happen, you may use the https everywhere chrome extension to force every website to redirect to https. Got a website switched to SSL after reading this tutorial? Let me know in the comments below!
If you enjoyed this tutorial, make sure to subscribe to our Youtube Channel and follow us on Twitter @pentacodevids for latest updates!