Securing web site with https and Let’s Encrypt

A padlock imageI have added support for secure communication using https/TLS to my personal web site, which runs on Linux home servers using Apache. After Let’s Encrypt appeared and started offering free security certificates, there was really no reason not to give it a spin. And there are many good reasons to support secure http communication, even for sites not dealing with sensitive or secret information:

  • Data integrity. Using https is an effective way to prevent tampering with the data from the server to the client. It is not unheard of for ISPs or other third parties to modify http traffic, for instance to inject ads in pages, and https is an effective counter measure.
  • Initiatives like Mozilla’s “deprecation of non-secure HTTP”, which aims to move the web to secure communication by default.
  • Giving visitors the choice to keep their web browsing private across the internet.
  • Allow secure site administration.

Skip directly to a section in this post:

  1. Acquiring a Let’s Encrypt certificate
  2. Configuring Apache on Ubuntu 14.04 to use Let’s Encrypt certificate
  3. WordPress and https
  4. Validating https protocol support
  5. Automatic certificate renewal
  6. Donations to Let’s Encrypt and the way forward

Acquiring a Let’s Encrypt certificate

Using this recipe as a guide, I decided to use the certbot tool, which automates the process of verifying ownership of domain and downloading a new certificate from Let’s Encrypt. It also provides automation of the certificate renewal process, which is necessary with Let’s Encrypt due to rather short expiry periods.

As preparation, basic SSL support in Apache should be enabled. This is accomplished on a standard Debian/Ubuntu Apache by doing as super user:

cd /etc/apache2/mods-enabled/
ln -s ../mods-available/ssl.* ../mods-available/socache_shmcb.load .

/usr/sbin/apachectl graceful

This links up the required modules and default configuration, then reloads Apache config. Since certbot requires that your Apache server is reachable from the internet on port 443, make sure any required port forwardings and/or firewall rules are adjusted in your router.

Note that there is a default virtualhost configuration for SSL in the file /etc/apache2/sites-available/default-ssl.conf. However, there is no need to enable this file, as all the required SSL options are added to the name based virtualhost for the site. If you decide to link default-ssl.conf into /etc/apache2/sites-enabled/, you should edit it to include /etc/letsencrypt/options-ssl-apache.conf, to disable vulnerable SSLv2/v3 protocols.

On to the certbot process, download and run as super user:

curl -sS https://dl.eff.org/certbot-auto -o /usr/local/bin/certbot-auto
chmod +x /usr/local/bin/certbot-auto

/usr/local/bin/certbot-auto --apache certonly

I opted for the conservative approach of not allowing certbot to do any permanent Apache configuration changes and only acquire a certificate, by using the certonly option. This will do the verification process (using your running Apache server) and save certificates and account details under /etc/letsencrypt/. Note that certbot may ask to install additional packages on the system the first time you run it.

Certbot successfully detected the name based virtual host definitions in the Apache configuration (including aliases) and allowed me to choose for which domain names to acquire a certifcate. After selecting the domains, the validation process starts and, if successful, a certificate for the domains will be downloaded and made available on the system. This was an impressively simple process.

Configuring Apache on Ubuntu 14.04 to use Let’s Encrypt certificate

Assuming basic SSL support is enabled in Apache, the server runs with default options which come from /etc/apache2/mods-available/ssl.conf and [optionally] /etc/apache2/sites-available/default-ssl.conf. To SSL-enable an existing name based virtual host defined for port 80, I simply copied the defintion to a separate virtual host for port 443. Then I added the following configuration to the new virtual host definition:

<VirtualHost *:443>
  ServerAdmin webmaster@stegard.net
  ServerName  stegard.net
  ServerAlias www.stegard.net

  # Letsencrypt SSL options
  Include /etc/letsencrypt/options-ssl-apache.conf
  # virtual host cert
  SSLCertificateFile      /etc/letsencrypt/live/www.stegard.net/cert.pem
  SSLCertificateChainFile /etc/letsencrypt/live/www.stegard.net/chain.pem
  SSLCertificateKeyFile   /etc/letsencrypt/live/www.stegard.net/privkey.pem

[...]

Note to include the Let’s Encrypt recommended SSL options (have a look at the contents first), then specify the certificate files. This applies to Apache version < 2.4.8. If you are running Apache from -backports on Trusty, or on a newer Ubuntu, then you’ll have version  >= 2.4.10, which needs a slightly different certificate setup:

# Letsencrypt SSL options
Include /etc/letsencrypt/options-ssl-apache.conf
# virtual host cert
SSLCertificateFile      /etc/letsencrypt/live/www.stegard.net/fullchain.pem
SSLCertificateKeyFile   /etc/letsencrypt/live/www.stegard.net/privkey.pem

(The SSLCertificateChainFile directive is deprecated starting with Apache 2.4.8.)

This was the only setup required to get functional SSL for my site.

WordPress and https

My site runs WordPress where the primary site URL uses plain http. This is how I wanted SSL to work:

  1. Both https and http should work across the site.
  2. If site is accessed on https, then all [internal] links and included resources should use https as well. (Enter on https, stay on https.)
  3. Site administration is only available on https.

Number 1 was easy – this works out of the box if Apache is configured correctly. But I got mixed content warnings for various resources inluded in pages when accessing over https. When evaluating how to fix a certain annoyance in WordPress, I tend to look for the simplest solutions which do not require extra plugins first. So I fixed images and other things included in content to use relative URLs. But there were still theme specific resources included with plain http URLs, likely due to the site URL being plain http. Not wanting to spend very much time diagnosing such specific cases, I ended up installing the SSL Insecure Content Fixer plugin. I run this plugin in “simple” mode, which I assume does not have to post-process all content being served (which I really wanted to avoid). That was enough to get consistent https-links when accessing content over https, and so number 2 is considered solved.

Since WordPress has a built in config option to force admin over SSL, adding the following to wp-config.php resolved number 3 on my list of requirements:

/** Admin over SSL */
define('FORCE_SSL_ADMIN', true);

Validating https protocol support

Qualys SSL labs has what looks like a rather thorough online validator for SSL protocol support. I ran my site through this validator and got an A-rating, with no glaring deficiencies. To improve the rating even further, I could have used a stronger RSA key than the default of 2048 bits, but it is certainly good enough for now.

Automatic certificate renewal

Obviously I like to keep site maintenance cost as low as possible, and automating the renewal process of certificates is a must. Certbot makes this very easy as well. I simply created a script in /etc/cron.daily/certbot-renew with the following content:

#!/bin/sh
exec /usr/local/bin/certbot-auto renew --no-self-upgrade --quiet

Make sure it is executable, and then automatic renewal should be all set.

Donations to Let’s Encrypt and the way forward

My first experience with Let’s Encrypt has been great. I’ve spent much longer writing this blog post than the time it took to get the site up and running properly with https support. Good things deserve appreciation, especially when they are given away for free. I made a small donation to Let’s Encrypt for their excellent service.

I will switch my site to use SSL by default given some time. The cost of providing secure http by default has been reduced to something so neglible, I have few reasons not to.