Let's Encrypt
I've been using let's encrypt since the beta. So I would like to share some of my experience here:

Why Encrypt?

Because I can. And it's free! ( Seriously, any website with password authentication should be encrypted. )

Before let's encrypt. I was struggling between buying a cert and "fuck it I'll go naked". Because certs were expensive, buying trust is a thing. And it should be a thing because that's how our society works.

Using a self-signed cert was okay but I since have some public services hosted for fun and the policy for Store apps. I don't think I can trust a self-signed cert within public space unless I am making my own protocol by using Sockets. It is self-signed. I am not qualified enough to be sure I am  doing it right. Even it is for fun, anything involve users *should* be considerate for their privacy.

So Let's Encrypt is the messiah. Lifting me off the eternal doom of my password of this blog being opened to public.

Using Let's Encrypt

Clone their repository from github, then follow the instructions:
git clone https://github.com/certbot/certbot

cd certbot/
./letsencrypt-auto

Updating the certs

Since I have several website running on the same machine. I really need a way to simplify the process.

Here is a semi-automation script to renew the certs.
SITES=(
        "blog.astropenguin.net"
        "file.astropenguin.net"
        "[Define More Domains]"
)

j=1
echo "Available sites to update:"
for i in ${SITES[@]}; do
        echo "  $j. $i"
        j=$(( j + 1 ))
done

echo -n "Select a domain [1-$(( j - 1))]: "
read num

re="^[1-$(( j -1 ))]+\$"
if [[ ! $num =~ $re ]]; then
        echo "Value does not fall into expected range"
        exit 1
fi

CHOICE=${SITES[$(( num - 1 ))]}

echo "  Selected: $CHOICE"
read -p "Press Enter to confirm"

/opt/letsencrypt/letsencrypt-auto certonly --keep-until-expiring --webroot -w /var/www/master/ -d "$CHOICE"

The /var/www/master is a special directory I've created to redirect all http to their respective https site. Thus all the http sites will use this directory to let Let's Encrypt to do its acme verification thing.

Here's the zzmaster.conf under /etc/apache2/sites-avalable/, ( The naming  zz I used is for debian for catch-all purpose ):
<VirtualHost *:80>
        ServerName astropenguin.net
        ServerAlias *.astropenguin.net

        DocumentRoot /var/www/master
        <Directory />
                Options None
                AllowOverride None
        </Directory>

        <Directory /var/www/master>
                Options SymLinksIfOwnerMatch
                AllowOverride all
                Order allow,deny
                allow from all
        </Directory>
</VirtualHost>

And the .htaccess under /var/www/master, redirecting all non-catched http to https:
RewriteEngine on
RewriteCond %{HTTPS} off
RewriteCond %{REQUEST_URI} !^/.well-known/(.+)$
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]

Let's Encrypt is good because it really does simplify the process of setting up certs. ( apache / nginx websites, generally. ). To acquire a site I'd just run a command then it's done. Unless there were some aftermath to deal with if some error occurred during the process ( which I occasionally encountered in the beta ). So the general idea of how certificates works is a must because you'll never know when will these things suddenly stopped working.
Profile picture
斟酌 鵬兄
Thu Aug 04 2016 02:45:51 GMT+0000 (Coordinated Universal Time)
Last modified: Thu Aug 04 2016 02:55:16 GMT+0000 (Coordinated Universal Time)
Comments
No comments here.
Do you even comment?
website: 
Not a valid website
Invalid email format
Please enter your email
*Name: 
Please enter a name
Submit
抱歉,Google Recaptcha 服務被牆掉了,所以不能回覆了