Well, I have most of the Pelleys.com web sites migrated to TLS certificates. (I want to say SSL but “SSL” is obsolete.) I have actually wanted to do this for some time but I did not want to pay for the privilege. However, on October 8, 2016, Google announced on the Google Security Blog that “(b)eginning in January 2017 (Chrome 56), we’ll mark HTTP pages that collect passwords or credit cards as non-secure, as part of a long-term plan to mark all HTTP sites as non-secure” and that “(e)ventually, we plan to label all HTTP pages as non-secure, and change the HTTP security indicator to the red triangle that we use for broken HTTPS.” So, I decided to get my arse into gear and do something about it.
A quick web search led me to Let’s Encrypt which is a “free, automated, and open” certificate authority. The list of current sponsors for Let’s Encrypt is quite impressive including Mozilla, Akamai, Cisco, Chrome and (of course) the EFF. The documentation is pretty good but, as Let’s Encrypt notes, this is beta so…
The biggest problem I had is likely related to the fact that www.pelleys.com, blog.pelleys.com and wx.pelleys.com have been migrated one to many times between various versions of CentOS and Apache and my config files are, to be charitable, a mess. After some messing around I determined that when using VirtualHost what seems to work for me was for each individual VirtualHost I had to use:
<path>/certbot-auto -d full_fqdn_virtualhost -d full_fqdn_virtualhost
Maybe (likely?) I missed that in the many examples but if someone finds this useful – Great!
The only thing that I that Let’s Encrypt is lacking, from my perspective, is that:
- It is *nix-centric – not a big issues since I use Ubuntu and CentOS; and
- I have yet to determine how to put the Let’s Encrypt certificates on a firewall (e.g., for SSL-VPN connections). This may be likely, in my opinion, that those using SSL-VPN connections are businesses not home geeks like me 🙂 I will keep digging. If I find out something I will post it.
The other bit is that if you are using WordPress – you likely noted that I do since you are reading this post 🙂 – that once you upgrade the at the web server level (e.g., Apache) the site will still be “broken” since the inpage links to graphics, etc., are listed as HTTP instead of HTTPS. To fix this install the Really Simple SSL plugin for WordPress and follow the instructions.