Let's Encrypt Launched!

Let's Encrypt was launched in beta mode a couple of days ago! Isn't it great? This might be a turning point in the history of HTTPS. From now on it indeed costs nothing. Congratulations to you all!

In the meanwhile I managed to try let's encrypt tool on my websites and figured out a bunch of tricks you might want to know too when switching to HTTPS for free with Let's Encrypt.

Basically the installation of Let's Encrypt certificate is very straightforward. It is described
here.

Let's Encrypt Logo

What the automated installer does is going into /etc/apache2/sites-available and creating an HTTPS copy of every site detected. There are some underwater stones on its way. Here I describe how to make things easier for the (great!) installer and finish up your migration to HTTPS gracefully.

Disclaimer On this web site you might read about or get access to various kinds of software and technology, including but not limited to libraries, operating systems, software for communications, mobile phones and tablets, Android software and Linux, even cars and motorcycles, security and penetration testing software, software used in security research and forensics, some samples of software which can be used (elsewhere) for malicious or illegal purposes. You will read about or be provided with the ways to change it, to operate it and to use it. You might find advice and recommendations, which are only an opinion, and not a legal advice or commercial recommendation..
Bear in mind, please, that everything you do, you do solely at your own risk and responsibility. In no way the author of this web site, information, graphics and other materials presented here or related to it can be made liable or anyhow else responsible for your own actions as well as actions of any third party and their direct or indirect results or consequences with or without the use of this information as well as the software, technology and systems mentioned and/or presented here, no matter if developed by the author or by any third party.
In no way it is guaranteed that you will meet any suitability for any particular purpose, safety, security, legality or even simply functioning of the software and systems described here. You have to make sure each time yourself, whether what you do, is really what you intend to do, and that you are ready to be yourself responsible for. All the recommendations and experiences described here are the opinions of corresponding authors and are to be taken with care and own full responsibility.
The software provided on or through this web site, linked to from this web site or anyhow else related to this web site is provided by the corresponding authors on their own terms. We provide all the software here as is without any guarantees to you. You are responsible for deciding whether it is suitable for you or not. You are also responsible for all direct or indirect consequences of using this software.
Other web sites linked to from the current one are out of the author's control, we can not guarantee anything about their content, its quality or even legality. We can not be liable for any use of the linked to web sites or of the information presented there.
We reasonably try to keep this website running smoothly and to deliver information to the best of our knowledge corresponding to the state of the art at the times when the information is composed, usually presented together with the information, and out of good intents. We can not however guarantee and can not be liable for this website being temporarily or permanently unavailable, presenting unreliable information or software, or any other similar or not malfunctioning or functioning not up to your expectations as well as any consequences which might result from this site's operation.

Existing Self-Signed Certificates

Many of you have already self-signed certificates on your (hobby-) sites and thus SSL versions of the configurations.

My advise would be to move the SSL-enabled site configurations away for a while when installing let's encrypt client. Once let's encrypt has done the job new SSL-enabled site configurations will be created. Modify them to correspond to your existing SSL-configured sites which you moved away after the installer has done the job.

Redirects to HTTPS

If you had already redirects from HTTP to HTTPS configured, make sure that the let's encrypt installer has not simply copied these redirects into the secured site configurations.

If so, your site will stop loading because of infinite redirect loop.

Tricks with HSTS

You could read more about HTTP Strict Transport Security (HSTS) here on Wikipedia, but what it essentially does is that it tells your browser to remember that your website works with HTTPS. This is done to prevent security downgrade attacks (or mistakes) which could lead to connecting to the website over HTTP once it is known that HTTPS is supported.

The trick is, that some browsers might accept HSTS rules for your main domain, like molotnikov.de in my case, and then refuse to work over HTTP with its subdomains, like dance.molotnikov.de.

To avoid this problem, make sure you migrate all of your subdomains at once to HTTPS.

The www Subdomain

When generating certificates, make sure to generate certs for the www.yoursite.com subdomain, since it is often used by the web server. If you have www subdomain active this is something you have to do. A simple test of the SSL settings for your website will reveal this detail among others: link to ssllabs.com.

To handle both your domains you could use this command:

cd letsencrypt
./letsencrypt-auto -d mydomain.com -d www.mydomain.com

Replace mydomain.com with your domain name.

Usually these commands are run with root privileges. This is not a must in principle to make use of let's encrypt. There is another let's encrypt client which works without sudo-ing.

Insecure Links to Resources

Together with reconfiguring Apache, you want to change the content as well to embed only secure links to the resources. Otherwise you (or, worse, your visitors) will face mixed content blocking warnings when visiting your website. Read more about it on the Mozilla website here.

Forefox displays mixed content warning

Essentially your clever browser will avoid insecure HTTP connections from the secure address you have in the address bar. These connections might include links to images, style sheets, scripts and other resources your site has to load. Update them to HTTPS to avoid mixed content blocking and related warnings.

A tricky part in this process might be http://... links in CSS. Make sure you update them to HTTPS too.

Web Console of Firefox is your friend in this scrutiny: it will show you which insecure connections were blocked



Afterword

Now let's wish Let's Encrypt a lot of success in the future, and hope that the unbelievable ease of use of let's encrypt automated client does not anyhow bring insecurities to our web servers and their visitors! :)

The future will show us, but right now HTTPS is definitely an upgrade to an HTTP-only website's security. So go ahead, it shouldn't take more than an hour of your time for a small website as long as you keep focused!



Thanks for reading my blog!
Created: 12/06/2015
Last edited on: 12/06/2015
Your comment: