I was wondering if someone would be able to explain to me how to make my website HTTPS instead of HTTP. Also, some good places to get either a free or paid SSL Cert.
OS: Ubuntu Server 16.04 (Running in a Xen VM)
Web Server Version: Apache/2.4.18 (Ubuntu)
Web Server Build: 2016-07-14T12:32:26
I already have a domain and website setup
Any Help would be appreciated. Thanks.
lets encrypt
Person above me may have nailed it.
I'll leave my original post up though...
High level overview here:
Generally speaking you'll want to generate a private key on your server (don't give it to anyone!/OpenSSL is your friend here) and csr and ship it to a CA ( letsencrypt as mentioned.)
They'll send you a public cert, and a ca cert (maybe a couple of extra files). Depending on your apache setup you may want to install the ssl module and include it in the http.conf. Then once again depending on set up - in the http.conf or ssl.conf in your apache dir point include where these files live.
So do I need to buy anything using these methods, or is letsencrypt free?
Ok, imma go try to get it working, thanks for the help.
Everything seems to be working, thanks for the really quick responses! Fasted forum I have ever been on :)
Every one is right Lets Encrypt.
Here is some actionable instructions.
I'd always suggest (If the cost is viable) later down the line investing in a proper SSL certificate that you have the private key for.
but let's encrypt is good for now
Let's encrypt is a proper certificate
Doesn't it provide you with a certificate that's only signed for like 90 days?
Or am I mistaken?
Yes certificates lifetime is 90 days though the recommendation is to have them renew every 60
Do you supply your own certificate to be signed or is it provided by them?
Also that lifetime is interesting. On one hand it stops leaked certificates from causing too much damage. On the other it might cause people to come to accept constantly changing SSLs certificates, which might allow people to miss sophisticated MitM attacks with signed certs to go more unnoticed.
In the tutorial is shows a cron job the you can create that will auto renew it.
Also I think that Let's Encrypt gives you a self signed cert , so while it will still encrypt you data it doesn't vouch for your validity like the paid ones do.
I'm no expert though.
You can check their site for how they do certificates. The 90 day limited is partly to reduce issues from stolen or misissued certificates. And partly to encourage automation.
People don't accept changing certificates because people never noticed valid changed certificates.
@bert_maklin this is wrong. Let's encrypt provide signed trusted certificates that are completely valid on all browsers. It's is one of (arguably) the largest certificate authority available. Let's not downplay it.
Now that's just wrong
Yeah
Ok Cool, Just out of curiosity though what do paid certs offer over using a let's encrypt one then?
In reality nothing unless you want extended validation (your not getting it).
Let's encrypt won't give wild card certificates, but it's more automated so isn't required.
And that about the only difference.
Interesting. I'll have to read about it.
Thanks for your insight.