You may have noticed a little downtime on the site yesterday (sorry about that). It’s all for a good cause, the site is now hosted on Digital Ocean with Nginx Proxying requests through to Apache with PHP7 with a free SSL certificate powered by Lets Encrypt.
The site wasn’t particularly slow, but it wasn’t fast either being hosted on one of my old shared reseller servers (lazy I know). Now on small 512mb $5 a month droplet its running at least 50% faster.
Ill be talking more about the performance and server setup in a future post, but for now i want to focus on Lets Encrypt.
Let’s Encrypt is a free, automated, and open certificate authority (CA), run for the public’s benefit. Let’s Encrypt is a service provided by the Internet Security Research Group (ISRG).
The key principles behind Let’s Encrypt are:
- Free: Anyone who owns a domain name can use Let’s Encrypt to obtain a trusted certificate at zero cost.
- Automatic: Software running on a web server can interact with Let’s Encrypt to painlessly obtain a certificate, securely configure it for use, and automatically take care of renewal.
- Secure: Let’s Encrypt will serve as a platform for advancing TLS security best practices, both on the CA side and by helping site operators properly secure their servers.
- Transparent: All certificates issued or revoked will be publicly recorded and available for anyone to inspect.
- Open: The automatic issuance and renewal protocol will be published as an open standard that others can adopt.
- Cooperative: Much like the underlying Internet protocols themselves, Let’s Encrypt is a joint effort to benefit the community, beyond the control of any one organization.
In short Lets Encrypt is a great new open service which allows you to serve your site over https FOR FREE!
Whats more the process of generating an SSL is simplified with no need to contact certificate authorities, download certificates, upload them to server control panels etc.
If you run apache you can simply request the SSL via cli access and it will automate the rest for you.
I’m not using Apache to server the SSL, that’s done by Nginx first as Nginx is much faster at doing so, but even the “manual” generation is still pretty automated, all that was left for me to do was setup the server configs for Nginx to server the certificates.
Whats more the Lets Encrypt service will auto renew your certificates periodically. Simply setup a cronjob to run the renewals:
To set all this up I followed a pretty handy guide found on Digital Ocean here: https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-14-04
It’s all self-explanatory and I didn’t come across problems on route, but there is a gotcha I found around the web (luckily before I started).
You need to issue 1 Certificate for BOTH www and none-www.
Regardless of if you redirect www to none-www or the opposite, when generated a certificate make sure you issue it for both at the same time (not separate certificates) and then do you redirects normally:
This new service is great, and I belive they are working on adding Nginx automated support once they have finalised Apache, which is just another bonus.
It’s all the more important with Google’s ranking regarding Online Security.