Use LetsEncrypt to Enable HTTPS on your Web Server for Free

LetsEncrypt offers free SSL certificates for websites, allowing you to protect users who access your site.

This guide will go step by step moving an unencrypted HTTP website to using HTTPS on Nginx. For the purpose of this guide, I’ll be using the website guide.highguard.net. There is no content there.

Lets start with the site in nginx.

server {
server_name guide.highguard.net;
listen 80;
listen [::]:80;
root /var/www/guide;
index index.html;
access_log off;
error_log off;
location /favicon.ico {
log_not_found off;
access_log off;
}
location ~ /\.ht {
deny all;
}
}

Right now the URL guide.highguard.net will show whatever is located at /var/www/guide/index/html on the server. To enable HTTPS we will need to get a certificate from LetsEncrypt using CertBot, then set up the site to use it and also redirect HTTP requests to use HTTPS in an intelligent manner. Lets start with getting the certificate.

Install Certbot with apt install python-certbot python-certbot-nginx, if you are using a distribution other than Debian, the package may have a different name or might not be available. The binary can be downloaded from the EFF.

Use Certbot to automatically create a challenge, request the certificate, download it, and install it.

certbot --nginx certonly

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Which names would you like to activate HTTPS for?
-------------------------------------------------------------------------------
1: guide.highguard.net
-------------------------------------------------------------------------------
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for guide.highguard.net
Generating key (1024 bits): /var/lib/letsencrypt/snakeoil/0000_key.pem
Waiting for verification...
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/0015_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0015_csr-certbot.pem

The certificate is generated and dropped into /etc/letsencrypt/live/guide.highguard.net/. Now we can make changes to the config file for the site to take advantage of the certificate. The easiest way to do that is to change the top of the server block so that it will use SSL, then add a new server block that uses non-SSL to redirect unencrypted connections to HTTPS.

The new server block:

server {
server_name guide.highguard.net;
listen 80;
listen [::]:80;
return 301 https://$host$request_uri;
access_log off;
log_not_found_off;
}

Then put the old server block right below that with minor changes. Change the listen ports from 80 to 443 ssl and add the path to the cert.

server {
server_name guide.highguard.net;
listen 443 ssl;
listen [::] 443 ssl;
ssl_certificate /etc/letsencrypt/live/guide.highguard.net/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/guide.highguard.net/privkey.pem;
root /var/www/guide;
index index.html;
access_log off;
error_log off;
location /favicon.ico {
log_not_found off;
access_log off;
}
location ~ /\.ht {
deny all;
}
}

Google and Mozilla are pushing for HTTPS to be everywhere

If your default browser is Firefox or Chrome you have have notice recently that both browsers are starting to take a harder stance on insecure login pages.

Whenever inputting text to a field, or when on a login page not secured with HTTPS, both Firefox and Chrome have their own ways of notifying users that the data they are sending, such as passwords or credit card numbers could be intercepted by someone bad.

Chrome is showing “Not secure” next to the URL bar and Firefox puts a banner under the password field of text boxes.

Firefox:

Chrome:

Users on twitter are seeing these notifications and taking it up with the companies that run the sites.

https://twitter.com/search?q=%22log%20in%22%20%22not%20secure%22&src=typd

https://twitter.com/search?q=%22log%20in%22%20%22not%20secure%22&src=typd

Why certifications are valuable in IT

I made the decision before leaving high school that I did not want to go to college. As I knew that I was going into the tech industry I was already well aware of the downsides of getting a degree. A degree proves that you learned about both your trade as well as took classes in other fields to come out after four or so years with a well rounded education. After that, there is nothing. You pay an exuberant amount of money for degree with no future course, and possibly nothing that would prove that you are good at what you actually want to do. A computer science degree can get you helpdesk, maybe a sysadmin position, or something in management, but dont expect a degree to get you seated in a position working cryptoanalysis or offensive security.

On the other hand, certifications allow you to create a much longer road for your further education. you can start with simple certifications and move up towards proving that you are good at what you want to do. Two years of study for certifications is much less expensive than college, and gives you a longer list of accomplishments that are more specific to the dream job that you chase. The technology industry is changing rapidly, meaning that education becomes obsolete much faster than in many other sectors. a four year degree loses a lot of its value after a decade, but because of the ongoing nature of certifications, your knowledge, and proof of that knowledge is constantly updating and staying current.