Moving to TLS Connections

Well, I have most of the web sites migrated to TLS certificates. (I want to say SSL but “SSL” is obsolete.) I have actually wanted to do this for some time but I did not want to pay for the privilege. However, on October 8, 2016, Google announced on the Google Security Blog that “(b)eginning in January 2017 (Chrome 56), we’ll mark HTTP pages that collect passwords or credit cards as non-secure, as part of a long-term plan to mark all HTTP sites as non-secure” and that “(e)ventually, we plan to label all HTTP pages as non-secure, and change the HTTP security indicator to the red triangle that we use for broken HTTPS.” So, I decided to get my arse into gear and do something about it.

Let's Encrypt Logo

A quick web search led me to Let’s Encrypt which is a “free, automated, and open” certificate authority.  The list of current sponsors for Let’s Encrypt is quite impressive including Mozilla, Akamai, Cisco, Chrome and (of course) the EFF. The documentation is pretty good but, as Let’s Encrypt notes, this is beta so…

The biggest problem I had is likely related to the fact that, and have been migrated one to many times between various versions of CentOS and Apache and my config files are, to be charitable, a mess. After some messing around I determined that when using VirtualHost what seems to work for me was for each individual VirtualHost I had to use:

<path>/certbot-auto -d full_fqdn_virtualhost -d full_fqdn_virtualhost

Maybe (likely?) I missed that in the many examples but if someone finds this useful – Great!

The only thing that I that Let’s Encrypt is lacking, from my perspective, is that:

  1. It is *nix-centric – not a big issues since I use Ubuntu and CentOS; and
  2. I have yet to determine how to put the Let’s Encrypt certificates on a firewall (e.g., for SSL-VPN connections). This may be likely, in my opinion, that those using SSL-VPN connections are businesses not home geeks like me 🙂 I will keep digging. If I find out something I will post it.

The other bit is that if you are using WordPress – you likely noted that I do since you are reading this post 🙂 – that once you upgrade the at the web server level (e.g., Apache) the site will still be “broken” since the inpage links to graphics, etc., are listed as HTTP instead of HTTPS. To fix this install the Really Simple SSL plugin for WordPress and follow the instructions.

About Mike Pelley

Let’s see… A little about me… I’ve been around information technology since 1983 with computers such as DEC Rainbows (weird machine – the standard DOS couldn’t format its own floppy disks – remember them? – and I had to format them on a friend’s IBM PC) to Radio Shack TRS-80 to Apple ][e and Apple //c in the beginning. I have programmed in 8-bit assembly language on 6502, FORTRAN and COBOL on IBM System/370 (and I still hate JCL), VAX BASIC and COBOL (and a weird and massive WordPerfect 4.0 macro) on DEC VMS (Alpha), C/C++ on Digital Unix (ALPHA), and C/C++, Perl (it may be powerful but I still hate it), PHP on Linux (Red Hat, Centos, Ubuntu, etc.). I have work with databases such as Digital RDB (later to become Oracle RDB), Oracle DBMS, Microsoft SQL Server, MySQL and PostgreSQL on VAX, Alpha, Sun and Intel. Check out my professional profile and connect with me on LinkedIn. See I still think that Digital created some of the best ideas in the world: VAX clustering, DSSI disks (forerunner to SCSI) and the Alpha processor (first commercial 64-bit processor – Red Hat screamed on an Alpha!). DEC just could not seem to be able to give air conditioners away to someone lost in the Sahara Desert! VMware is one of the best ways to get the most out of an x64 server. And I have tried Oracle VM, Virtual Box and Microsoft Virtual Server. Outside of that I am a huge military history buff starting in the early 20th century. I love Ford Mustangs (my ’87 Mustang GT was awesome) and if I had the money I would have a Porsche 928S4. If I had a lot of money I would have a Porsche 911 Turbo. I also play too much AmrA 3 Exile mod. Over 5,000+ hours... I have a wonderful son, Cameron. I have a long suffering (Do you really need all that computer junk?) wife, Paula. I live in Paradise, Newfoundland and Labrador.
This entry was posted in Uncategorized. Bookmark the permalink.