It's free with LetsEncrypt and certbot should be pretty easy to setup.
+1
agreed. :D i'm using let's encrypt too, it's easy. just setup and forget.
I don't think it's just "setup and forget" unless you have a proper script to ensure it is renewed every 3 months.
i think that's already implied in setup process? :)
just add to cron
certbot-auto renew --no-self-upgrade
Well, that is not in the "setup" process. It is something you had to add if you want an auto renewal. :P
It adds the cron for you and it's on the installation instructions. I'd call that part of the setup process, but you're arguing semantics.
LOL...
Is that new or was I making things (slightly) too complicated exactly one year ago? http://fransdejonge.com/2016/05/lets-encrypt-on-debianjessie/ I mean, even without something that helps you set up the cron job it's quite easy… :P
I kinda have a mixed feeling when certbot's command is mixed with letsencrypt's, so does it really work that way or it really works that way? :-X
I'm not really sure what you mean. It's the same thing. ;)
$ apt search certbot
Sorting... Done
Full Text Search... Done
certbot/testing,testing 0.10.2-1 all
automatically configure HTTPS using Let's Encrypt
letsencrypt/testing,testing 0.10.2-1 all
transitional dummy package
IIRC, because the client now maintained by EFF: https://certbot.eff.org/
The repository mentions that: https://github.com/certbot/certbot
I forgot when exactly this happened, maybe when let's encrypt client still in beta. I hold back to deploy it, and when I'm ready to setup it suddenly certbot is the new client. haha. :D got me confused for few days.
For Ubuntu 16.04, the default is still the old LE where only apt install letsencrypt is possible. You need to install certbot ppa to it or use Ubuntu 16.10 (with apt install certbot) if you want to use certbot instead.
That's said, when will we see the green pad lock here
@emanuele45,
@Spuds ... ?
I have close to no knowledge on the matter (and I prefer not to touch the server LOL), so it's Spuds' call here. Or
@TE if he comes around. :P
BTW: I just started researching how to set up ssl on my localhost before google kills desktop notifications support for non-SSL sites... what a pain. ::)
Better open your own topic for your services and put some signature in your profile with a link to them
@Brother John. You don't wanna hijack any topics just to promote your services, do you?
Thank you, Brother!
It will always display an error for localhost
If you are using a Cpanel hosting platform it is really simple. The SSL/TLS Manager will allow you to generate SSL certificates, certificate signing requests, and private keys. These are all parts of using SSL to secure your website. SSL allows you to secure pages on your site so that information such as logins, credit card numbers, etc are sent encrypted instead of plain text. It is important to secure your site’s login areas, shopping areas, and other pages where sensitive information could be sent over the web.
If you will use the link, username, and password that I have provided for you below you will be able to see a real CPanel. Go to where it says SSL/TLS and click on it to see what I'm talking about.
@emanuele45, you can rename your localhost to any fqdn and get ssl certs for that fqdn. Other than using certbot, you can try acme.sh in obtaining and auto renewing LE ssl certs for it as well.
I'm far before this step, I just managed to understand how to have the server respond when I point the browser to https. xD
I haven't done this, but would you still get a certificate error?
You shouldn't gel ssl error in your browser if LE certs can be issued and then properly installed for the localhost site.
Joshua Dickerson, you could get an error if the certificate is bad. I have bought then and they were bad, of course, they were replaced by the co. I bought then from. it's just a pain when you get a bad certificate. It doesn't happen that often.
I see HTTPS now but you can still visit non https:// http://www.elkarte.net/ shouldn't that be redirected to the https version?
Also I see HTTP/2.0 not supported and site is still using PHP 5.4
You may run into a problem with some anti-virus software showing an error if someone tries to visit your website. Not having one can end up doing you more harm than good and if you are selling products through your website you could be held liable for not protecting your client's info. They are cheap around $5.50/year. I use them to protect my clients and I own info. My site that I started here has one https://realchristchurch.com. I use this site to test my SSL's with https://www.sslshopper.com/ssl-checker.html#hostname=www.realchristchurch.com
While "rolling" https out we chose to not to enable redirect, just in case we had to back things out.
I don't think the current version of nginx on the site supports http/2.
PHP could be updated
nods
Very true about the PHP. I can change the PHP for my Clients from 5.4 - 7.1
Oh, is that why I've been seeing some weird logged in/not logged in stuff? I didn't bother investigating, thinking it was probably some cache fluke on my end.
redirect has been enabled ;) Should be fixed within the next few minutes ...
/me bans
@IchBin for not using a safe avatar! xD
Nah, it uses Telnet! :P
It's not. The problem is related to elkarte.net vs www.elkarte.net. I don't know what the previous behavior was, but it must've been proper. I always type no-www and expect the site to 301 redirect if it wants to (and vice versa from www to no-www!). Anything else is bad website behavior.
1. I go to elkarte.net (not logged in).
2. I click login (link points to www.elkarte.net ?action=login).
3. I'm logged in on www.elkarte.net without being prompted for a password (as expected).
Of course you can replace 2 by just clicking on home or typing www.elkarte.net etc.
@Spuds regarding this, I updated the site with the pull request I sent https://github.com/Spuds/Elk_Image_Cache/pull/2 seems to work, but I'm not sure if I broke anything else... especially because I didn't check if the code here at elk.net was the same as the one in the repo... sorry, I realized only while writing this text and I have already closed the file, so undo is not an option anymore... :'(
/me feels stupid.
I should be fine :) I had updated the repo with the change I made for 1.1 final. Cool work on the avatar update !
Should be fixed, I've added some code to our index.php (homepage).. Just posting it here so others could benefit from the solution..
if (substr($_SERVER['HTTP_HOST'], 0, 4) !== 'www.') {
header('Location: https://www.'.$_SERVER['HTTP_HOST']);
exit;
}
Seems to work okay. Btw, it probably doesn't matter much if at all unless you have really high traffic but doing it on the server ought to be faster: http://www.yes-www.org/redirection/
The best way to check your SSL certificate to see if it's good is here: https://www.sslshopper.com/ssl-checker.html#hostname=https://www.elkarte.net/
You can see how I set it up to check the SSL for https://www.elkarte.net/
Cool !
That's quite an old version of nginx.
Yes, but it serves its purpose.
Yeah, so long it works without any serious vulnerabilities, it should be fine, I think.
I still wonder if HTTPS can be used to sniff out people and control things somehow. Like they do a lot of weird things to ruin the internet these days. I just wonder if there is some Luciferian thing behind it, but know to litte about it.
I use it on my website as well, but I seem to hit into a lot of pages where I am told not to go into because there is an issue - and now FTP seems to have something of the same. Just more work it seems and I still wonder if there is anything that can further help the people who wants to control everything in this world by using HTTPS.
Well at least google are pusing https websites apparently as I understood, giving them preference compared to http sites. Just so anoying when you hit into pages where there is an issue because of it using https. Well... I don't know enough technical things to know if there is any backdoors in this system or not. Maybe some of you more Knowledgeable on that subject know. Sure safety for website and users it is said, but is there anything behind it that can be used to further control users.
It's really sad to see how the internet has become mainstream, like one of the reasons I got my TV out was because of all the propaganda - and now it is all over the internet. Not only is the mainstream nonsense propeganda all over, so is control and censuring.
Actually, https should serve to do quite the opposite. The premise is preventing third party snooping. ;)
Yea, but what I'm thinking, if there is someway a backdoor or hidden agenda behind promoting it.
Since the alternative is transmitting all information over the wire in plaintext, human readable format, Ima say there is not a hidden agenda. In terms of security it couldn't be any worse than that.
Is there a backdoor? Again Ima say no because high level governments are beginning to push for precisely that, as even they cannot reliably intercept encrypted intel.
Is it foolproof? Of course not. Information security will always be a cat and mouse game. Each time a hole is discovered, it gets plugged. Then the search is on for a new hole. Repeat ad nauseum.
@badmonkey What does ima mean?
It's internet lingo for "I am".
If you don't feel comfortable using https, don't sweat it that much. We forum owners are unlikely to handle highly sensitive information, such as financial credentials. It is a personal choice.