You may (or may not) have noticed that alureon.net is now served over strong TLS encryption!  This is a big win for me, as it’s always been something that has puzzled me.

You can check the certificate yourself in Chrome using Developer Tools

TLS in Chrome's developer tools

Aww yeah!

 

 

 

 

 

 

 

 

 

 

 

 

 

What Not To Do

Tempting as it might be, you apparently cannot self-sign a certificate and expect any browser not to freak out about it.

openssl req -x509 -new -nodes -key alureon.key -sha256 -days 1024 -out alureon.pem

(This opens up a whole new basket of problems with Subject Alternative Names as well.  Just don’t do it.)

Expecting users to click through the “INSECURE” prompts or install your root certificate seems a bit unreasonable in most cases.

What To Do

A buddy of mine pointed me over to https://letsencrypt.org/

Using certbot, I was able to get myself a legitimate, trusted cert (for free!) with little hassle.  I opted for:

certbot certonly --apache -w /srv/http -d www.alureon.net -d alureon.net

I answered a few questions, and it generated my SSL cert and key.  Super easy.  The only other steps are pretty much uncommenting the SSL module in httpd.conf.

LoadModule ssl_module modules/mod_ssl.so
Include conf/extra/httpd-ssl.conf

Also, you have to set up extra/httpd-ssl.conf to point to your new SSL cert and key.

SSLCertificateFile "/etc/letsencrypt/live/www.alureon.net/fullchain.pem"
SSLCertificateKeyFile "/etc/letsencrypt/live/www.alureon.net/privkey.pem"

I opted for some other pretty extreme settings as well, forcing only the latest version of TLS.

SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GC
SSLProtocol -all +TLSv1.2

Fixing Insecure Resource Requests

After you go full TLS, browsers still claim you’re insecure if you make any requests to insecure resources (resources not served over http).  This includes fonts, javascript, and even images.  I wanted the green Secure text in Chrome badly enough to go the extra mile, so I continued to fight the good fight.

I’m sure there’s a better way to do this, but I did

UPDATE wp_posts SET `post_content` = REPLACE (`post_content`, 'http', 'https');

This worked wonderfully, but it also changed the literal text “http” in all of my posts to “https”.  This had some funny side effects, but I think I changed everything that actually needed to be “http” back.  There was one post where I had pasted text of myself working in a directory named “/srv/http”.  It changed the directory name to “/srv/https”, which I though was kind of funny.

Forcing TLS at the Domain Level

This worked great for manually navigating using SSL (typing https:// in the browser), but I’m guessing most people aren’t going to do that.  How do we force them to use SSL at the domain level?

I found this hack on some random website, and it seems to work great (aside from appending an extra forward slash to my TLD).

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{SERVERNAME}/$1 [R,L]

I just appended that to the bottom of my httpd.conf, and it worked!  If anyone knows a more efficient way, let me know.