Hi everybody, I've been trying to get a certificate for my server for a while. Now that I found solution I would like to share it, hoping everybody will start to use HTTPS to serve their forums.
Let's Encrypt is a free, automated, and open certificate authority (CA), run for the public’s benefit. Let’s Encrypt is a service provided by the Internet Security Research Group (ISRG).
Before we start
I will assume that you have a Unix system (which is necessary, I will be using Debian), your web server configured, as well as SSH access, and of course flarum installed. I will also assume that you are using Apache, if not you can find detailed guides on the links on the bottom.
Part1: Get the client
Let's start getting the letsencrypt client: run
git clone https://github.com/letsencrypt/letsencrypt && cd letsencrypt
Now we are going to install and update the client and its dependencies:
sudo ./letsencrypt-auto --help
Part2: Get and install the certificate
Before the next step ensure that the 443(TLS) port is open
After that we are going to actually install the certificate
sudo ./letsencrypt-auto --apache -d your.domain.com
This will automagically request the certificate and install it in your apache configuration.
Now restart apache:
sudo service apache2 restart
Part3: Configure flarum
The certificate should now be up and running, to ensure that just accessyour domain at https://your.domain.com
Now we need to make sure that flarum is pointing to https. In you flarum home directory, open config.php and edit the line
'url' => 'http://your.domain.com'
to
'url' => 'https://your.domain.com'
Now, to ensure that even those who forget to put the s in https, will connect securly, we need to redirect them. Open the .htaccess file in you flarum home directory, and make sure that this part
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
RewriteRule ^vendor/(.*)?$ / [F,L]
RewriteRule ^storage/(.*)?$ / [F,L]
RewriteRule ^config.php$ / [F,L]
RewriteRule ^api(.*)$ api.php [QSA,L]
RewriteRule ^admin(.*)$ admin.php [QSA,L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule !^assets index.php [QSA,L]
# MultiViews can mess up our rewriting scheme
Options -MultiViews
# Autoindex will list all assets files which is not so good
Options -Indexes
</IfModule>
becomes like this:
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
RewriteRule ^vendor/(.*)?$ / [F,L]
RewriteRule ^storage/(.*)?$ / [F,L]
RewriteRule ^config.php$ / [F,L]
RewriteRule ^api(.*)$ api.php [QSA,L]
RewriteRule ^admin(.*)$ admin.php [QSA,L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule !^assets index.php [QSA,L]
#start https redirect
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
#end https redirect
# MultiViews can mess up our rewriting scheme
Options -MultiViews
# Autoindex will list all assets files which is not so good
Options -Indexes
</IfModule>
That should be it, now you flarum forum should be up, running and secured!
Updating
The certificates last for three months (90 days in fact) so you will need to run only the Part2 of this guide to renew it (even before it actually stops working).
If you are not running apache, you can find how to use the letsencrypt client here
