Let's Encrypt

Posted on December 08, 2015 · 4 mins read

Take a look at your URL bar. See that green lock? That’s about 10 hours of work this weekend, approximately 9 more than planned! Nevertheless, I am happy to share that all of my personally-hosted sites are now served exclusively via SSL thanks to Let’s Encrypt.

Let’s Encrypt is a new certificate authority issuing free SSL server certificates. This means all communication between your browsers and my server are encrypted. (Sorry NSA.)

So why did it take 10 hours? I had to build a new server. My old server, hosted on Digital Ocean, ran CentOS 6 which did not have the requisite Python 2.7.x. I could have simply compiled Python 2.7.10; but, I wanted to upgrade to CentOS 7 and get my hands dirty with Salt again, since I hadn’t touched it in a while and we use Ansible at edX. This, naturally, lead to having to remember how to use Salt. That took a few minutes.

Great, new machine is online. Not quite. It turns out MySQL has ben replaced by MariaDB as the database server of choice. Given that my main goal was to get SSL certificates, I didn’t want to deal with learning a new database server. I proceeded to waste time attempting to add the MySQL Community Edition repo to CentOS and install MySQL. I do not recommend this. When I initially read about MariaDB, I didn’t fully understand the fact that MariaDB is intended to be a fully-compatible replacement for MySQL. The binaries and services have the same names as their MySQL counterparts. The configuration format is the same, and so on. There was no need to use MySQL. Both Salt and WordPress are compatible.

Great, new machine is online…kinda. I still had to get SSL certificates. It took me way too long to understand how the letsencrypt client works primarily because I did the one thing you shouldn’t do when learning a new technology: take a shortcut. In this case I figured I’d use a pre-existing Salt formula and speed things along. The problem with this approach is that I lost a lot of time debugging when that formula did not work as expected.

What I now understand is that, in order to verify my ownership of my domains, the client needs to expose files on my web server (nginx). The client has support for doing this auto-magically for Apache, but not nginx. This process is explained on the Let’s Encrypt site. Once I understood that, updating nginx was simple.

Next came a bit of data transfer from the old server to the new server and DNS updates. Once the DNS changes propagated, getting the certificates was super-simple!

My file server needed no changes since it just hosts files for photography clients. Wordshapes needed an update (http -> https) to a Bootstrap CDN URL. Wordpress, however, was another beast. This site, and my photography site, needed minor changes to image URLs. My dad’s site…oh my! That man loves embedding images, some of them way too big in size. Fortunately, there is a plugin to help identify content with non-https URLs; but, it’s still tedious to update them all. Whoever decided to not use relative URLs when embedding images is an evil person.

Wrapping it all up, my project that started at 4 PM on Saturday concluded around 2:20 AM Monday. Better documentation on the part of Let’s Encrypt would have helped reduced the time spent on this project. At some point, I’ll file a pull request to rectify this.