Since 2014 Google has been pushing the usage of the HTTPS protocol and SSL certificates in every website. In an official post it informed that HTTPS would begin to take influence from its ranking algorithm. Now, 3 years later, we can consider ourselves being before a matured process and we can see that most websites are implementing this protocol. Let’s take a look at what HTTPS has to offer:
It offers SECURITY by ciphering communication between our server and the user’s browser. This prevents sensible information (ex. usernames, passwords, addreses and other personal data) from being stolen during transit. On another hand, our server will be identified for the user via a SSL certificate. Thus our user will be assured that they are dealing with us while making it harder for those who attempt to fake our identity. As such the second advantage the HTTPS protocol has is the CONFIDENCE it generates, further improving the experience of our users and, as we mentioned already, it will improve our ranking in Google.
Sin embargo, es necesario disponer de un certificado SSL reconocido, lo que en muchos casos However, a recognised SSL certificate is required, which often means that acquiring a SSL certificate results in a considerable expense. Why does this happen? The SSL certificate works as a “passport” for our website and, akin to every valid passport, it has to come from a recognised authority. Even though we can issue our own certificates, these will not generate enough confidence in users who don’t know us.
Fortunately the situation has changed a little over a year ago. Nowadays we can use free certificates issued by Let’s Encrypt. These certificates are acknowledged by any browser, the install and renovation processes can be fully automated and are free of charge. This means we no longer run into trouble when implementing this layer of security in our web server. Let’s Encrypt offers everything we need to implement it and many hosting providers already include it within their services. You can check out the list here and solve any questions with your hositng provider..
Installing a Let’s Encrypt SSL certificate
To install the certificate we’ll use Certbot, the recommended client by Let’s Encrypt. In its website we’ll select the software for our web server and the Operating System of our computer (in our case, Apache in Ubuntu 16.04) and we’ll be given the instructions we need to plug in our server’s console:
sudo apt-get update
sudo apt-get install software-properties-common
sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update
sudo apt-get install python-certbot-apache
As we can probably guess, these commands install the necessary software to use Certbot. The next step is to execute the config for Apache:
sudo certbot --apache. When running this command, it will ask Let’s Encrypt for a certificate for every domain set up within our server, which automatically configures itself to make use of them.
We indicate the code (separated with commas or spaces) of the domains we want to install the certifiate to, and if we leave it blank it will do the process for every domain shown.
Now hit enter. If any valid certificate had been generated previously for any of the selected domains we’ll be given the option to reinstall it (1) or force its renewal (2).
Finally we’ll have the option to automatically redirect every petition to the secure version of our web (2) or keep them independent (1). The common solution is to redirect the traffic to the HTTPS version.
We also have the option to generate and download the certificates without installing them automatically, in case we need to manually configure the server. In this case, the command to execute would be:
sudo certbot --apache certonly
SSL certificates renewal
Los certificados emitidos por Let’s Encrypt tienen una validez de 90 días The certificates issued by Let’s Encrypt have a validity of 90 days. Like they explain in their website this has two objectives, first it improves security (for the same reasons it’s recommended to change passwords frequently) and secondly, boost the automatization of the renewal process.
Automatic renewal is installed with the Certbot package, we can verify its correct functionality by executing
sudo certbot renew --dry-run in our terminal
If for any reason we wish to manually renew the certificate we’ll use the command:
sudo certbot renew
Last things to consider
Once the process is over, our server will be secure.
If this wasn’t the case and we didn’t recieve error messages during the process, we must check that our webpage content is coming from safe pages. If we see this image in our browser, this would indicate that part of the content is coming from unsafe urls. We must update these links and pay close attention to external content.
If we use the browser inspector we can see which links need to be corrected.
In the case of scripts, it’s extremely important to make sure that the access is given through HTTPS. Otherwise, security restrictions could cause errors in our webpage.