You may (or may not) have noticed that alureon.net is now served over strong TLS encryption! This is a big win for me, as it’s always been something that has puzzled me.
You can check the certificate yourself in Chrome using Developer Tools
What Not To Do
Tempting as it might be, you apparently cannot self-sign a certificate and expect any browser not to freak out about it.
(This opens up a whole new basket of problems with Subject Alternative Names as well. Just don’t do it.)
Expecting users to click through the “INSECURE” prompts or install your root certificate seems a bit unreasonable in most cases.
What To Do
A buddy of mine pointed me over to https://letsencrypt.org/
Using certbot, I was able to get myself a legitimate, trusted cert (for free!) with little hassle. I opted for:
I answered a few questions, and it generated my SSL cert and key. Super easy. The only other steps are pretty much uncommenting the SSL module in httpd.conf.
Also, you have to set up extra/httpd-ssl.conf to point to your new SSL cert and key.
SSLCertificateFile "/etc/letsencrypt/live/www.alureon.net/fullchain.pem" SSLCertificateKeyFile "/etc/letsencrypt/live/www.alureon.net/privkey.pem"
I opted for some other pretty extreme settings as well, forcing only the latest version of TLS.
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GC SSLProtocol -all +TLSv1.2
Fixing Insecure Resource Requests
I’m sure there’s a better way to do this, but I did
This worked wonderfully, but it also changed the literal text “http” in all of my posts to “https”. This had some funny side effects, but I think I changed everything that actually needed to be “http” back. There was one post where I had pasted text of myself working in a directory named “/srv/http”. It changed the directory name to “/srv/https”, which I though was kind of funny.
Forcing TLS at the Domain Level
This worked great for manually navigating using SSL (typing https:// in the browser), but I’m guessing most people aren’t going to do that. How do we force them to use SSL at the domain level?
I found this hack on some random website, and it seems to work great (aside from appending an extra forward slash to my TLD).
I just appended that to the bottom of my httpd.conf, and it worked! If anyone knows a more efficient way, let me know.