قالب وردپرس درنا توس
Home / Tips and Tricks / How does LetsEncrypt free HTTPS / SSL certificate work? – CloudSavvy IT

How does LetsEncrypt free HTTPS / SSL certificate work? – CloudSavvy IT



  Let's encrypt.

Let's encrypt free SSL certificates, which are used to secure and encrypt traffic to your site and give you the green padlock in the URL field. Without one, you will be stuck with HTTP, which is not very secure.

What is an HTTPS / SSL Certificate?

When someone connects to your site, that person's browser asks your site to identify themselves, to make sure no one is infringing on your connection. It does this with an SSL certificate, which is given to you by a CA (CA).

CA keeps track of your domain name and associates it with your public key, which is used for encryption. Anyone who connects to your site can see that you are using the right key to encrypt the site's traffic, so you must be who you say you are. As long as everyone relies on CA, no one can falsely forge new SSL certificates, as they will be signed by CA and can only be issued by them.

This means that as long as you have an SSL certificate, no one can spy on people's connections while using your site or can give you personality to your site. This makes HTTPS much more useful and much more secure. With the rise of Let & # 39; s Encrypt, 93% of web traffic (via Google) is now HTTPS, and if your site is not, you will rank much lower in Google search results.

RELATED: What is HTTPS, and why should I care?

How are we to encrypt differently?

Let's encrypt is completely free to use. This is unusual for a CA, as most of them require you to pay hundreds of dollars a year. This is the great advantage of Let's Encrypt ̵

1; if you don't need something nice, you can easily secure your site with HTTPS.

However, Let's # Encrypt has some drawbacks. Their certificates are only valid for 90 days, but you can automate their renewal, so it's not a dealbreaker. They also only offer Domain Validation (DV) certificates, which simply secure your domain. They do not offer Organizational Validation (OV) certificates, which require you to register your business alongside them, and they do not offer Extension (EV) certificates, which require a comprehensive verification process and display your company name in the URL of a bar.

 PayPal EV Certificate.

However, there is not much benefit of an OV certificate, and you probably do not need an EV certificate unless you are running a bank or major institution, in which case you can probably save the money. Even Amazon does not have an EV certificate.

For most people, if you don't care about having to renew your certificate every 90 days, there is currently not much point to having something smarter than LetsEncrypt.

Set let's encrypt certificates

You must have command line access to the server on which you intend to install an SSL certificate. Alternatively, if you have a managed web host like SquareSpace, your host may support Let's Encrypt, with some having it enabled by default. Others, like GoDaddy, include SSL as part of their paid plans and can lock you from using alternative options. You can check if your provider is on the list and how to enable Let's encrypt if it is. For this article, we will focus on manual installation running on your own web server.

To obtain a certificate, you must use an ACME client, a program that will talk to Let & # 39; s Encrypt for you and verify that your domain name is legitimate. Let's encrypt recommend that you use certbot a command line tool that creates certificates for you but also installs them automatically on the web server you are using.

If you do not want certbot to mess with your nginx or Apache configuration files, you can manually generate a certificate with another ACME client. You have to add it manually to your configuration and you have to manage to renew the certificate every 90 days (which you can do automatically, you just have to set it yourself). For most people, things will go well with Certbot.

Installing and using Certbot

Installation will vary depending on which operating system you are running, but Certbot is only running on Unix systems, so no Windows. It's usually as simple as installing it from your distro's package manager. For Debian-based systems like Ubuntu, it would be:

  sudo apt-get install certbot 

Although you need to add certbot repo to your package manager. Fortunately, Certbot's website has more complete installation instructions for each distro. Choose which web server you are using and which operating system you are running it on. Certbot gives you a list of commands to install the necessary packages; run these and wait for it to be installed.

When done, you want to run:

  sudo certbot - nginx 

Replace the - nginx flag with whatever web server you are using. Certbot generates a new certificate and installs it in your nginx configuration. You can actually run Certbot as a manual ACME client with:

  sudo certbot - nginx certonly 

This will generate a certificate file that you can manually distribute to your web server.

Certbot will automatically handle renewal on most distros with cron or systemd timers, so you don't have to worry about it expiring. This cron job is usually found in /etc/cron.d/certbot if you want to make sure.

One thing to note is that this cron job only runs certbot refreshes when it is finished, which does not automatically restart your web server to apply the new configuration. You can attach an extra command to this cron job with - renew-hook and send it a command to reload nginx like this:

  certbot renew --renew-hook "/ etc / init d / nginx reload "

You can also manually renew your certificates directly from the command line with:

  sudo certbot renew 

You must also restart your web server after that.

Managing HTTPS Traffic

HTTPS works a little differently than regular HTTP. The default HTTP port is 80, which is usually open on web servers. HTTPS runs on port 443, so you need to make sure that this port is open in any firewall you can have for HTTPS to work.

Additionally, you will probably want to block all HTTP traffic now that you have HTTPS. You can do this with a nginx rule:

   server  {
 listen    80  default_server;

 server name  _;

 return    301  https: //  $ host   $ request_uri ;
} 

This will redirect all port 80 traffic to an HTTPS link. This replaces the default port 80 server, so make sure nothing else is running on that port.


Source link