Post Cover Photo

Get free HTTPS for your server

Did you know you can have a secure, HTTPS-only server configured in just 10 minutes?

Thanks to Let's Encrypt, everyone can have free SSL certificates... forever! They can automatically renew, as well.

Let's Encrypt makes it relatively easy, but there are still a few gotchas to keep in mind. However, once you have it down, you'll never build another website that accepts HTTP connections!

In fact, my websites (including this one and my personal site) have become HTTPS-only. Why?

Why should you care?

Really, one of the most compelling reasons is that public wifi networks can inject ads, so you don't actually see what the website owner intended.

Do you respect your users? Do you maybe even treat them like friends? Do you care about their privacy? Then please, use HTTPS all the time.

Users visiting your site on plain HTTP can be monitored on public Wi-Fi, and if they enter any credentials sent through HTTP, anyone watching could just see and steal that information.

I hope this quick summary was helpful. I've been surprised how few people have switched to HTTPS-only. Hopefully, understanding its importance + its free + how to do it = you make the switch!

Here's your checklist

advice

  1. Make sure you own the domain and have permissions to update static files on the server
  2. Install letsencrypt on your server (via git cloning from their site)
  3. Install nginx or Apache, check they run (you can follow guides on the internet for your specific server OS)
  4. Use letsencrypt to generate a certificate (auto configured for apache, or via its webroot plugin for nginx)
  5. For nginx, manually generate Strong Diffie-Hellman Group params (dhparams)
  6. Update your nginx/Apache configs, then restart/reload
  7. Verify it works manually
  8. Run an SSL checker like this one.
  9. Set up automatic renewal (I did it via crontab like this, but the Digital Ocean guide covers a cleaner way)

You can follow one of these guides to get set up:

We value security

At Uplift, we take security seriously. We use our knowledge about things such as:

  • encryption and cryptography
  • secure server configuration, including SSL and database setup
  • secure passwords and passphrases
  • managing security updates for tools and software we use
  • latest industry best practices

... to help secure our client's business. If you are concerned about your website's security:

  • email us at security [at] uplift {dot} agency
  • or call at (415) 418-3420, extension 5 for security.

Questions, thoughts?

If you have any questions or thoughts for improvement of this summary, let us know via our contact page.

Comments