Let's Encrypt
I've been using let's encrypt since the beta. So I would like to share some of my experience here:
Before let's encrypt. I was struggling between buying a cert and "fuck it I'll go naked". Because certs were expensive, buying trust is a thing. And it should be a thing because that's how our society works.
Using a self-signed cert was okay but I since have some public services hosted for fun and the policy for Store apps. I don't think I can trust a self-signed cert within public space unless I am making my own protocol by using Sockets. It is self-signed. I am not qualified enough to be sure I am doing it right. Even it is for fun, anything involve users *should* be considerate for their privacy.
So Let's Encrypt is the messiah. Lifting me off the eternal doom of my password of this blog being opened to public.
Here is a semi-automation script to renew the certs.
The /var/www/master is a special directory I've created to redirect all http to their respective https site. Thus all the http sites will use this directory to let Let's Encrypt to do its acme verification thing.
Here's the zzmaster.conf under /etc/apache2/sites-avalable/, ( The naming zz I used is for debian for catch-all purpose ):
And the .htaccess under /var/www/master, redirecting all non-catched http to https:
Let's Encrypt is good because it really does simplify the process of setting up certs. ( apache / nginx websites, generally. ). To acquire a site I'd just run a command then it's done. Unless there were some aftermath to deal with if some error occurred during the process ( which I occasionally encountered in the beta ). So the general idea of how certificates works is a must because you'll never know when will these things suddenly stopped working.
Why Encrypt?
Because I can. And it's free! ( Seriously, any website with password authentication should be encrypted. )Before let's encrypt. I was struggling between buying a cert and "fuck it I'll go naked". Because certs were expensive, buying trust is a thing. And it should be a thing because that's how our society works.
Using a self-signed cert was okay but I since have some public services hosted for fun and the policy for Store apps. I don't think I can trust a self-signed cert within public space unless I am making my own protocol by using Sockets. It is self-signed. I am not qualified enough to be sure I am doing it right. Even it is for fun, anything involve users *should* be considerate for their privacy.
So Let's Encrypt is the messiah. Lifting me off the eternal doom of my password of this blog being opened to public.
Using Let's Encrypt
Clone their repository from github, then follow the instructions:git clone https://github.com/certbot/certbot
cd certbot/
./letsencrypt-autoUpdating the certs
Since I have several website running on the same machine. I really need a way to simplify the process.Here is a semi-automation script to renew the certs.
SITES=(
"blog.astropenguin.net"
"file.astropenguin.net"
"[Define More Domains]"
)
j=1
echo "Available sites to update:"
for i in ${SITES[@]}; do
echo " $j. $i"
j=$(( j + 1 ))
done
echo -n "Select a domain [1-$(( j - 1))]: "
read num
re="^[1-$(( j -1 ))]+\$"
if [[ ! $num =~ $re ]]; then
echo "Value does not fall into expected range"
exit 1
fi
CHOICE=${SITES[$(( num - 1 ))]}
echo " Selected: $CHOICE"
read -p "Press Enter to confirm"
/opt/letsencrypt/letsencrypt-auto certonly --keep-until-expiring --webroot -w /var/www/master/ -d "$CHOICE"The /var/www/master is a special directory I've created to redirect all http to their respective https site. Thus all the http sites will use this directory to let Let's Encrypt to do its acme verification thing.
Here's the zzmaster.conf under /etc/apache2/sites-avalable/, ( The naming zz I used is for debian for catch-all purpose ):
<VirtualHost *:80>
ServerName astropenguin.net
ServerAlias *.astropenguin.net
DocumentRoot /var/www/master
<Directory />
Options None
AllowOverride None
</Directory>
<Directory /var/www/master>
Options SymLinksIfOwnerMatch
AllowOverride all
Order allow,deny
allow from all
</Directory>
</VirtualHost>And the .htaccess under /var/www/master, redirecting all non-catched http to https:
RewriteEngine on
RewriteCond %{HTTPS} off
RewriteCond %{REQUEST_URI} !^/.well-known/(.+)$
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]Let's Encrypt is good because it really does simplify the process of setting up certs. ( apache / nginx websites, generally. ). To acquire a site I'd just run a command then it's done. Unless there were some aftermath to deal with if some error occurred during the process ( which I occasionally encountered in the beta ). So the general idea of how certificates works is a must because you'll never know when will these things suddenly stopped working.
Thu Aug 04 2016 02:45:51 GMT+0000 (Coordinated Universal Time)
Last modified: Thu Aug 04 2016 02:55:16 GMT+0000 (Coordinated Universal Time)
Comments
No comments here.
Do you even comment?
website:
Not a valid website
Invalid email format
Please enter your email
*Name:
Please enter a name
Submit
抱歉,Google Recaptcha 服務被牆掉了,所以不能回覆了