2017-02-10
Using HTTPS protocol instead of the familiar HTTP has lately become a trend. And even more than that, most social networks require it if you want to publish an application, including a Blend4Web application. Let’s take a look at what kind of beast this is and how we can tame it.
The HTTPS protocol extends the well-known HTTP and introduces encryption to tighten up security. To use it, you have to get and install an SSL certificate.
There are various kinds of SSL certificates, and each one comes with its own price. Some of them only verify the domain, others can be used for e-commerce. You can get a beginner-level certificate for free, or even generate it yourself. This latter option isn’t very convenient, though, because if you try to open a website with this kind of certificate, the web browser will notify you about an untrusted certificate. Which can turn off an unsuspecting visitor.
So, if you don’t want to pay for a certificate, then the only option you are left with is to get a free one. There are several services that allow you to do this. Lately, the Let’s Encrypt service is gaining popularity. Among its partners and sponsors are well-known organizations such as Mozilla Foundation, Cisco Systems, Linux Foundation et al.
This service allows you to receive a fully-functioning SSL certificate, accepted by any web browser, completely for free. However, it is only valid for 90 days. But it also has a definite advantage over other free certificates: you won’t have to restrict commercial activities on your site.
The Let’s Encrypt service is, in a sense, an API for creating and prolonging your certificates. Also, in keeping with the best Linux traditions, it offers you a console tool for performing these tasks automatically. We will get to that, but for now let’s take a look at the other third-party solutions.
The very first thing you should do is carefully examine what your hosting provider offers you. The reason for this is that the service of getting an SSL certificate from Let’s Encrypt is popular nowadays and is featured by many providers. This can usually be done automatically from the control panel.
Second, if you own an entire server and use a server control panel to manage it, then you have the chance to do it from there. The latest versions of the ISPManager and CPanel environments already include modules for generating and prolonging Let’s Encrypt certificates.
In ISPManager, you can do this if you enable the module in the program settings. Just make sure that the version of your panel is 5.65.0 and up.
In CPanel, it is done in the Security tab.
If you do not have a control panel or if you are for some reason unable to create a certificate, you can try to use a third-party client. Official site of the certification center features an entire list of such clients, but keep in mind that most of them are unofficial.
I, myself, took a liking to the ZeroSSL service that performs all generation actions in the web browser window. Let’s find out how to work with it.
Follow this address to start the constructor and fill in all the fields. Note that you can choose one of the two control options: an HTTP request or a DNS entry. I chose HTTP for this example.
After a few seconds of waiting, a CSR code will be generated. This code you should copy and save to a text file. Press the Next button to generate a service key, and save this as well.
Next step is checking.
Here, everything is simple. For each domain that you want to register, you have to create a file with a name in the File field, and add the content of the Text field to it. To store these files, create a path like this: root/.well-known/acme-challenge/. Root here is, of course, the root directory of your site.
After doing these, press the Next button, and you will receive a certificate and a key, and also an ID of your account in the Let’s Encrypt service. Don’t forget to save all these.
Let’s assume that you don’t trust any third-party clients and are 100% sure that Big Brother is watching you. If this is the case, the cerbot official tool is for you.
So, your server works under one of the Linux distributives, and you can access it using SSH (a console, to put it simple).
If you are using Debian, you can install the client directly from the distibutive’s repository. In other cases you have to download the package you need from the developer’s web site.
The certbot utility supports lots of various options, but in the end the line for certificate generation should look like this:
certbot-auto certonly --email <EMAIL> --agree-tos --webroot -w <DIR> -d <DOMAIN>
Where:
EMAIL is your e-mail address
DIR is a root directory containing your site
DOMAIN is the name of the domain
Keep in mind that you have to update your certificate every 90 days. The command shown below is used just for that. Add it to the cron scheduler’s tasks to get rid of the domain certification problems once and for all.
certbot-auto renew --quiet
And if you want to know about installing the certificate, simply contact your hosting provider. By the way, many site and server management systems give you the option to install it by yourself using a control panel.
