Moar HTTPS!

About 13 months ago we bought an SSL certificate for harmsboone.org. Recently we upgraded our SSL configuration for harmsboone.org and all our subdomains (except wedding.harmsboone.org, we’ll get there). Now you can browse Greg and Danielle’s blogs,and Danielle’s new writing project, 1000 Wednesdays, with confidence that nobody, not the government, not your internet service provider, not your crazy neighbor with a WiFi Pineapple is interfering with the words and photos your see on these pages.

We upgraded the base three, this site and the two blogs a couple months ago with certificates from SSLMate. You can get some sense of how I did it from my friend and colleague Eric Mill’s blog where he has posted an excellent walkthrough. You can also check our work at SSL Labs where we get an A+.

1000 Wednesdays I did this weekend, the same day we registered the domain. It was fully encrypted before we put any content on it at all. It, too, gets an A+,. We also snagged a cert for International Underground, with an A+ configuration, while we were at it.

Both of these last two sites are extra hip for being encrypted with a free certificate from Let’s Encrypt, a new non-profit, open Certificate Authority run by the Internet Research Security Group (ISRG). Their goal is to lower the barriers to entry for enabling encryption on web servers so that everybody can be serving content safely to everybody using the Internet. That means, even sites that are more or less dormant like International Underground can ensure that whoever happens upon it is getting content they can trust.

Things that were tricky about converting these sites over:

  • We migrated from a shared hosting environment to a virtual server on NGINX. Let’s Encrypt does not officially support NGINX yet, so we had to install them manually.
  • We had to solve some pretty big mixed content problems. For the most part they were ameliorated by changing the protocol in our various config files.
  • For International Underground, we had to patch a plugin that served a remote file over http. This may have broken the content (it’s a Flash video and I didn’t bother checking to see if it worked.
  • I missed the memo that Let’s Encrypt certificates don’t support the www subdomain by default and we (temporarily) lost www on International Underground and haven’t configured it for 1000 Wednesdays. I’m tempted to leave it that way, especially the latter never responded to www, but the redirect isn’t hard to set if you have the cert to cover it.

Overall, even though it took a few steps more than SSLMate, I was pretty impressed with Let’s Encrypt. For a public beta it is a great service that’s only going to get better. I hope to move all our sites to LE eventually but I’m going to get my money’s worth on the certs I paid for first.