قالب وردپرس درنا توس
Home / Tips and Tricks / How do LetsEncrypt free HTTPS / SSL certificates work? – CloudSavvy IT

How do LetsEncrypt free HTTPS / SSL certificates work? – CloudSavvy IT



  Let's Encrypt.

Let's issue Encrypt free SSL certificates, which are used to secure and encrypt traffic on your website, and give you the green padlock in the URL bar. Without one, you're stuck with HTTP, which isn't very secure.

What is an HTTPS / SSL certificate?

When someone connects to your website, that person's browser asks your website to identify themselves, making sure no one gets in your connection. It does this with an SSL certificate, which is provided to you by a Certificate Authority (CA).

The CA keeps track of your domain name and associates it with your public key, which is used for encryption. Anyone connecting to your website can see that you are using the correct key to encrypt your website's traffic, so you have to be who you say you are. As long as everyone trusts the CA, no one who is malicious can forge new SSL certificates as they are signed by the CA and can only be issued by them.

This means that as long as you have an SSL certificate, no one can spy on people's connections while using your website or pretend to be your website. This makes HTTPS very convenient and much more secure. With the rise of Let & # 39; s Encrypt, 93% of web traffic (via Google) is now HTTPS, and if your website is not, you will be much lower in Google search results.

RELATED: What Is HTTPS And Why Should I Care?

How else can we encrypt?

Let & # 39; s Encrypt is completely free to use. This is uncommon for a certificate authority, since you have to pay hundreds of dollars a year for most of them. This is the big advantage of Let's Encrypt: if you don't need anything special, you can easily secure your website with HTTPS.

Let's Encrypt, however, has a few drawbacks. Their certificates are only valid for 90 days, but you can automate their renewal, so it's not a deal breaker. They also only offer Domain Validation (DV) certificates, which easily secure your domain. They do not provide Organization Validation (OV) certificates, which require you to register your company alongside them, and they do not provide Extended Validation (EV) certificates, which require an extensive verification process and display your company name in the URL

 EV Certificate for PayPal.

However, there is not much benefit from an OV certificate and you probably don't need an EV certificate unless you run a bank or a large institution. , in that case you can probably save the money. Even Amazon does not have an EV certificate.

If you don't mind renewing your certificate every 90 days, it doesn't make much sense to most people these days to have something more beautiful than LetsEncrypt.

Let's Set Encrypt Certificates

You must have command line access to the server on which you want to install an SSL certificate. If you have a managed hosting provider such as SquareSpace, your host may support Let & # 39; s Encrypt, with some enabling this by default. Others, such as GoDaddy, include SSL as part of their paid plans and can exclude you from using alternative options. You can check if your provider is on the list and how we can enable Let’s Encrypt if that is the case. For this article, we'll focus on manual installation running on your own web server.

To obtain a certificate, you must use an ACME client, a program that will talk to Let & # 39; s Encrypt for you and verify that your domain name is legitimate. Let's Encrypt recommends using certbot a command line utility that creates certificates for you, but also automatically installs them on the web server you are using.

If you don't want certbot to mess with your nginx or Apache configuration files, you can manually generate a certificate with another ACME client. You have to manually add it to your configuration and you have to renew the certificate every 90 days (which you can do automatically, you just have to set that yourself). Certbot will do just fine for most people.

Install and use Certbot

The installation depends on the operating system you use, but Certbot only runs on Unix systems, not Windows. It is usually as easy as installing your distro's package manager. For Debian based systems like Ubuntu it would be:

  sudo apt-get install certbot 

Although you need to add the certbot repo to your package manager. Fortunately, the Certbot website has more complete installation instructions for each distro. Select which web server you use and which operating system you use it on. Certbot gives you a list of commands to install the necessary packages; run it and wait for it to install.

When it is finished, run the following:

  sudo certbot --nginx 

Replace the flag - nginx with whatever web server you are using. Certbot generates a new certificate and installs it in your nginx configuration. You can actually run Certbot as a manual ACME client with:

  sudo certbot --nginx certonly 

This generates a certificate file that you can manually deploy to your web server.

Certbot automatically manages the renewal on most distros with cron or systemd timers, so you don't have to worry about it expiring. This cron task is usually located in /etc/cron.d/certbot if you want to be sure.

One thing to note is that this cron task only performs certbot renewal once it completes, your web server does not restart automatically to apply the new configuration. You can add an extra command to this cron task with - renew-hook and give it a command to reload nginx like this:

  certbot renew --renew-hook "/ etc / init. d / nginx reload "

You can also manually renew your certificates directly from the command line with:

  sudo certbot renew 

You must also restart your web server afterwards.

Dealing with HTTPS Traffic

HTTPS works a little differently than regular HTTP. The default HTTP port is 80, which is usually open on web servers. HTTPS is running on port 443, so you need to make sure that this port is open in any firewalls you have for HTTPS to work.

In addition, you probably want to block all HTTP traffic now that you have HTTPS. You can do this with an nginx line:

   server  {
 listen    80  default_server;

 server name  _;

 return    301  https: //  $ host   $ request_uri ;
} 

Redirects all port 80 traffic to an HTTPS link. This will replace the default port 80 server, so make sure nothing else is running on that port.


Source link