Obtain an SSL certificate and run your forum with HTTPS for free

dazework

Hi all - if anyone has a moment to reply - i am not a techie person - just a community forum leader

we had some help to install our 2 flarum sites, but now both are stuck behind an outdated security certificate -- and we are losing traffic (not that it is huge!)

is the server certificate something you resolve at the domain level? or is it all about the server where the sites are hosted? trying to figure out how as a novice, i can solve this

jordanjay29

dazework It's kind of a handshake with the browser, to determine if the SSL layer is valid. You can always drop down to HTTP and redirect HTTPS links, but the better thing to do is to renew your certificate.

luceos

dazework join us on discord at https://flagrow.io/join-discord, someone of flagrow or reflar might be able to get you back on track.

I'm off for well needed rest, in case you find no answer without me sent me a message on discord ?

dazework

jordanjay29 yes, just not sure how to renew the certificate

the person who installed it promised to keep track, but has evaporated back into the internet.... so am a bit stuck.

both community sites are at different domains, so it is not the domain (which places like NameCheap make it seem all i have to do is buy a certificate from them to solve this at domain level!)

i can see that our other site that is also on the same server has an outdated certificate. HOW do I update it? Have Googled this of course - but I get stuck at certain steps.

luceos will say hello there and see what can be done!

thank you - any further ideas are welcome!

dazework

luceos a big thank you, for assistance here - we were lost. Looking more into your work and seeing many helpful things - so thanks again, from all us novices!

Wawet76

Let's Encrypt certificates expires after 3 months, but everything is done to encourage automatic renewal.

I don't really like the official client install described in the original post, because it automatically modify the Apache configuration... I prefer to use software packaged by my Linux distribution.

Here is how to I do it with "Dehydrated" client, with Apache web server on Debian 9 :

# apt-get install dehydrated dehydrated-apache2
Create file "/etc/dehydrated/domains.txt" and put your complete domain name into it.
# dehydrated -c

Certificates are created and put in /var/lib/dehydrated/certs/your_domain/

To configure Apache :

# a2enmod ssl
# a2ensite default-ssl
Modify /etc/apache2/sites-available/default-ssl.conf :
- SSLCertificateFile /var/lib/dehydrated/certs/your_domain/cert.pem
- SSLCertificateKeyFile /var/lib/dehydrated/certs/your_domain/privkey.pem
- SSLCertificateChainFile /var/lib/dehydrated/certs/your_domain/fullchain.pem
# systemctl reload apache2

To automate renewal, add a script in /etc/cron.daily/ :

  #!/bin/sh
/usr/bin/dehydrated -c

Reloading configuration is already done daily by logrotate, so I don't do it in the renewal script.

To redirect http to https, add "Redirect permanent / https://your_domain/" in the non-https virtualhost.

To activate HSTS, add « Header always set Strict-Transport-Security "max-age=15768000" » in the https configuration.

To test your configuration, you can use this site : https://www.ssllabs.com/ssltest/

To obtain the best grade, you can configure SSL algorithms recommended by the Mozilla wiki ("intermediate" is a good choice on their configuration generator) : https://wiki.mozilla.org/Security/Server_Side_TLS

louisluong

I dont know why i can't install on Ubuntu & Centos ? But i can install on Debian.

just-do-it

matpompili Is there a difference between paid and free (like the way you've described) ssl certificates?
Or encrypted is encrypted no matter what?

Also wondering if this would influence seo rankings, but since a lot of websites are still on http, all ssl could have the same "juice" value...

luceos

just-do-it I never thought I'd have to write this ?

Different levels of paid certificates exist, ranging from Domain- to Extended Validation. Each of these require the party behind the certificate to be validated increasingly based on the level. Domain validation required an e-mail confirmation or DNS entry, whereas EV meant your business registration would be verified as well and sometimes you would get a call! The identity would be confirmed and as such guarantee a visitor of your site they're dealing with the right party. Another benefit -- or they make you believe -- is end user protection to a specific monetary amount (I don't know the details of this, I suggest googling).

Then Let's Encrypt showed up and had this goal to make the web encrypted with free certificates. Back then, this wasn't too easy, because SNI didn't exist back then, which allows multiple certificates to be installed per IP address. LE wasn't really taken seriously until SNI was a thing and Google started giving websites with SSL a (slightly) better SEO rank.

just-do-it

That was informative, thank you @luceos

luceos I never thought I'd have to write this

why so? : )

luceos

just-do-it it's like explaining what a ? is to someone who knows only about ? . ?

just-do-it

luceos yeah I'm a millennial and I have never used a ? in my life. Though I've seen and read smth about them, so yeah, pretty accurate ?

ChadJessen

I remember using these. ?

SmoulBuchholz

Work perfectly with my website ? i have one SSL certificate via my contract 1&1 so i have just fllowed part 3. But ont thing is forgetted. One line

So the default function into beta7.1 (and beta7 i think) is :

And you must replace this by :

The only difference is the line RewriteBase / if this line don't exist, you will see error when you go to threads ?

maxXx

I still have error: ERR_TOO_MANY_REDIRECTS ?

Ralkage

maxXx if you are having issues setting up a free SSL, use Certbot for a 1, 2 step process.

It requires SSH.

maxXx

Ralkage I am on shared hosting, access only via FTP and MySQL database.

Ralkage

maxXx Then you cannot do step 1 or 2 unless you specifically got your SSL from the same hosting company, they have separate instructions on getting SSL set up for your domain name.

This is more for those that have at least jailed SSH at minimum (I have tried this on HostGator a while back and it worked partially).

Ralkage

michaelgriffin why not use Certbot?

luceos

Make sure your hostnames resolve to your forum by properly configuring DNS.

for ubuntu+nginx:

sudo apt install python-certbot-nginx
sudo certbot --nginx

for ubuntu+apache:

sudo apt install python-certbot-apache 
sudo certbot --apache

(For other installation instructions check the official website at https://certbot.eff.org/)

In the second command from above you are asked to select the hostnames you want to request a certificate for. If they don't resolve the process won't succeed. Once it does succeed it asks you to automatically redirect traffic to https; I suggest you do that, so that you won't need to do any other magic.

Once the certificate has been installed, update your config.php url value to read https://yourdomain.com instead of http://yourdomain.com.

Then update the cronjob to auto renew regularly:

sudo crontab -e
// pick your favorite editor here, I use vim:
// add a line below the comments (vim press "i" to be able to type):

0 1 * * * certbot renew
// (vim press Shift z twice, so "ZZ")

That's it. The above replaces the (now outdated) way that my dear friend Matteo whipped together over two years ago.

« Previous Page