Why Encrypt?
Because I can. And it's free! ( Seriously, any website with password authentication should be encrypted. )
Before let's encrypt. I was struggling between buying a cert and "fuck it I'll go naked". Because certs were expensive, buying trust is a thing. And it should be a thing because that's how our society works.
Using a self-signed cert was okay but I since have some public services hosted for fun and the policy for Store apps. I don't think I can trust a self-signed cert within public space unless I am making my own protocol by using Sockets. It is self-signed. I am not qualified enough to be sure I am doing it right. Even it is for fun, anything involve users *should* be considerate for their privacy.
So Let's Encrypt is the messiah. Lifting me off the eternal doom of my password of this blog being opened to public.
Using Let's Encrypt
Clone their repository from github, then follow the instructions:
git clone https://github.com/certbot/certbot
cd certbot/
./letsencrypt-auto
Updating the certs
Since I have several website running on the same machine. I really need a way to simplify the process.
Here is a semi-automation script to renew the certs.
SITES=(
"blog.astropenguin.net"
"file.astropenguin.net"
"[Define More Domains]"
)
j=1
echo "Available sites to update:"
for i in ${SITES[@]}; do
echo " $j. $i"
j=$(( j + 1 ))
done
echo -n "Select a domain [1-$(( j - 1))]: "
read num
re="^[1-$(( j -1 ))]+\$"
if [[ ! $num =~ $re ]]; then
echo "Value does not fall into expected range"
exit 1
fi
CHOICE=${SITES[$(( num - 1 ))]}
echo " Selected: $CHOICE"
read -p "Press Enter to confirm"
/opt/letsencrypt/letsencrypt-auto certonly --keep-until-expiring --webroot -w /var/www/master/ -d "$CHOICE"
The /var/www/master is a special directory I've created to redirect all http to their respective https site. Thus all the http sites will use this directory to let Let's Encrypt to do its acme verification thing.
Here's the zzmaster.conf under /etc/apache2/sites-avalable/, ( The naming zz I used is for debian for catch-all purpose ):
<VirtualHost *:80>
ServerName astropenguin.net
ServerAlias *.astropenguin.net
DocumentRoot /var/www/master
<Directory />
Options None
AllowOverride None
</Directory>
<Directory /var/www/master>
Options SymLinksIfOwnerMatch
AllowOverride all
Order allow,deny
allow from all
</Directory>
</VirtualHost>
And the .htaccess under /var/www/master, redirecting all non-catched http to https:
RewriteEngine on
RewriteCond %{HTTPS} off
RewriteCond %{REQUEST_URI} !^/.well-known/(.+)$
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]
Let's Encrypt is good because it really does simplify the process of setting up certs. ( apache / nginx websites, generally. ). To acquire a site I'd just run a command then it's done. Unless there were some aftermath to deal with if some error occurred during the process ( which I occasionally encountered in the beta ). So the general idea of how certificates works is a must because you'll never know when will these things suddenly stopped working. 斟酌 鵬兄
Thu Aug 04 2016 02:45:51 GMT+0000 (Coordinated Universal Time)
Last modified: Thu Aug 04 2016 02:55:16 GMT+0000 (Coordinated Universal Time)