How To Make This Website - Part 4: Adding SSL With Let's Encrypt
What Is SSL?
SSL stands for Secure Socket Layer, and it is the "s" in HTTPS. It's the reason a little lock icon appears near the address bar when visiting some websites. HTTPS traffic is encrypted and HTTP traffic is not. This means when you make a regular HTTP request, every single machine between you and the destination can read plainly what you are requesting. When you make an HTTPS request, that traffic is indecipherable to everybody but you and the destination. I am of the belief that this is a good thing and should be the default form of traffic.
What Is Let's Encrypt?
First of all, in order for HTTPS to work, a level of trust is required between parties. Enter the certificate suppliers. Certificate suppliers will give website admins challenges to prove they have control over their domains. Once that is proven, the supplier certifies that the domain can be trusted. But it costs money, sometimes a lot, to get that certificate. That's where Let's Encrypt comes in; they give out certificates for free. So naturally I went there for my certificate!
Getting The Certificate
If you read Part 3, then you know this website has two sub-domains: the empty or www sub-domain and stage. Thankfully there are wildcard certificates which will secure an unlimited number of sub-domains.
Install certbot and the Linode DNS plugin with
$ sudo pacman -Syu
certbot-nginx certbot-dns-linode. Now go to the API Keys section of
your Linode profile and create a new one. Make sure you copy the key
somewhere because you can't get it back after you leave the
/srv/domain.name/linode_creds.ini for editing and
insert this line
dns_linode_key = the_api_key_you_just_made
Lock down the permission with
$ sudo chmod 600 /srv/domain.name/linode_creds.ini
Now request the certificate (of course replacing
with your real domain name)
$ sudo certbot -a dns-linode -i nginx -d "*.domain.name" -d domain.name --server https://acme-v02.api.letsencrypt.org/directory --dns-linode-credentials /srv/domain.name/linode_creds.ini
You will get prompts for an email address, agreement to their Terms of Service, and whether you want emails from the EFF. After that the bot will carry out DNS challenges and you just have to be patient while they propagate. By default this process takes 16 minutes.
When that process completes you will be asked which server blocks should be modified; I chose all of them. Then you'll be asked for which server blocks HTTP requests should be redirected to HTTPS requests; I chose all of them.
The bot will take care of all the nginx configs and installations automatically, so whenever it completes you should be serving up fresh HTTPS responses!
The certificates do expire after 90 days. Check out the bottom of this page for more information about automatic renewal!
You're now ready to add tons of content to your site. Make it happen!