Enabling TLS on my blog

Google has been favoring websites behind HTTPS over those behind HTTP in their search ranking for quite a while now. Somewhat more recent they started to mark interactive websites behind HTTP as insecure in their Chrome web browser. According to Google: “Eventually, we plan to label all HTTP pages as non-secure”. One could argue about the value of marking non-interactive websites, such as blogs, as insecure. However given how easy it is to enable TLS by using Let’s Encrypt our time is better spend on simply enabling it.

In my previous blog post I documented how to I used FreeNAS and FreeBSD Jails to run my blog. To understand how, what follows, works, you might want to read that post first.

Enabling TLS basically boils down to three steps:

Install Certbot and the Nginx plugin

It has been a while since I did any work in this blog jail, hence I’ll start with updating the package repository:

guido@laptop % ssh blog 
% sudo pkg update

Next I’ll install the Python 3.6 version of Certbot and the Nginx plugin:

% sudo pkg install py36-certbot py36-certbot-nginx

Run Certbot

Running Certbot with the Nginx plugin assumes that the nginx.conf lives in /etc/nginx. Under FreeBSD that configuration files lives in /etc/usr/local/etc/nginx. The Certbot documentation doesn’t document how to inform it about this different location. Fortunately the joy of open source allows us to inspect the plugin code to see what it expects.

Apparently it accepts a server-root argument that does what we need. From the command line that arguments needs to be prepended with the plugin name nginx-, hence the command to run becomes:

% sudo certbot-3.6 --nginx --nginx-server-root /usr/local/etc/nginx \ 
	-d kollerie.com -d www.kollerie.com -d blog.kollerie.com

It will ask you a couple of question that I won’t repeat here. When the command finishes, TLS is fully enabled. It even restarted Nginx for you. It really can’t be made more simple than that.

From the web server’s point of view everything was working fine. However when I visited my blog all styling was gone. This was easily solved by informing Hugo (my static blog generator) that my baseURL (in config.toml) now starts with https instead of http and regenerating everything:

guido@laptop % cd <blog dir>
guido@laptop % nvim config.toml
guido@laptop hugo
guido@laptop % scp -r public/* blog:www

Add a cronjob for certificate renewal

Let’s encrypt certificates expire after 90 days. Fortunately certificate renewal can be automated with a simple cronjob as documented on the Certbot website:

% sudo -i
% crontab -e

and add the following line to root’s crontab:

0 0,12 * * * /usr/local/bin/python3.6 -c 'import random; import time; time.sleep(random.random() * 3600)' && /usr/local/bin/certbot-3.6 renew > /dev/null 2>&1

That bit of Python code is there to prevent everyone in the same timezone from renewing their certificate exactly at the same time twice a day. The actual renewal call is as simple as:

% certbot-3.6 renew

Feel free to run it manually to see its output.

And that’s all there is to it. Three easy steps to enable TLS using Let’s Encrypt!