Starting from the 2017, Google Chrome has started marking each site with unencrypted HTTP connection that requires entering credentials as unsafe. I’m sure many webmasters see this as an unnecessary hustle, especially those who don’t care about the security. However, using HTTPS is really easy and nowadays, it’s free. With LetsEncrypt you can even use automated scripts for renewing your certificates, so here’s how to set it up.
First of all, your are going to need an ACME client. You can choose any client from this list. I’ve chosen kelunik/acme-client written in PHP and this is what I’m going to be using for this tutorial. The easiest way to install this on your production server is to download it to /usr/local/bin directory and rename acme-client.phar to acme-client. Now you will be able to call it globally on your server as “acme-client” command. To download it, choose the latest .phar from here.
The next step is to write a YAML config file in /etc/client-yml. Here’s an example:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 | # storage for certs storage: /etc/secret server: letsencrypt email: milos.milutinovic@live.com certificates: # milos.pw - bits: 4096 paths: /var/www/milos.pw/public_html: - milos.pw - user: www-data paths: /var/www/milos.pw/public_html/: milos.pw |
Once that is done, you can get the your certificates for the first time by running “acme-client auto”. If there were no errors, you will get the certificates in the specified folder.
The next step depends on your web server. In this example I will set up Apache. You will have to edit each vhost config file (this is an example, not a whole file and parts are censored).
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 | #redirect to https ServerName milos.pw ServerAlias www.milos.pw Redirect permanent / https://milos.pw/ ServerName milos.pw ServerAlias www.milos.pw ServerAdmin ######## DocumentRoot /var/www/milos.pw/public_html SSLEngine On SSLCertificateFile /etc/##########/cert.pem SSLCertificateKeyFile /etc/#######/key.pem SSLCertificateChainFile /etc/#####/chain.pem # vim: syntax=apache ts=4 sw=4 sts=4 sr noet |
After you’ve done editing, test the configuration
1 | sudo apachectl configtest |
and reload Apache
1 | sudo service apache2 reload |
Now go to your site. It should redirect http to https and there should be no security errors. If everything went smoothly, congratulations, your visitors can now connect securely to your site and no one can sniff their traffic. If there were errors, leave a comment below and I’ll try helping.
The final step is creating a cron job that will renew the certificates automatically for us. LetsEncrypt certificates are valid for 3 months, so it would be very tedious to do this by hand, not to mention that you can easily forget to do it. Acme-client comes with very nice instructions for doing this.