Certs for ownCloud on an older version of Ubuntu
That was easy!
I wanted to get Lets Encrypt certs up and running on my ownCloud server. It was easier than I anticipated. Here are the broad strokes taken from http://manandkeyboard.tk/2015/12/20/lets-encrypt-certificate-steps-for-owncloud/ (bit of a different setup for me)
I don't have anything running on port 80 (I just have apache listening on 443, using self-signed certs, yeah I know, but that is the whole purpose of this excursion)
Run the Let's Encrypt challenge/cert gen
Let's Encrypt is pretty cool. You essentially request a cert for a domain name, the service provides you with a URL that you need to create to prove that you own the domain. Once it can retrive that URL it generates the necessary cert files. All with the most user friendly work through possible:
cd /tmp git clone https://github.com/letsencrypt/letsencrypt cd letsencrypt ./letsencrypt-auto certonly -a manual \ --email email@address \ -d your_domain.com \ -d http://www.your_domain.com
In the last line swap the values with your particulars. If you then follow the on screen prompts it will tell you how to create the challenge URL. It will then tell you how to run a Python simpleHttp server to serve up that file from that temp directory. (For me I had to adjust /etc/apache2/ports.conf to remove listening on port 80. ie comment out Listen 80 and then sudo service apache2 restart) When you have completed the challenge the certs will be in /etc/letsencrypt
Switch your apache configs to use the new cert
This will very on your setup. I installed owncloud from a package without much fussing so I just needed to point to the new keyfiles in /etc/apache2/sites-enabled/000-default by changing two lines to point to the new keyfiles:
SSLCertificateKeyFile /etc/letsencrypt/live/your_domain.com/privkey.pem SSLCertficateFile /etc/letsencrypt/your_domain/cert.pem
Once changes are made, just the usual sudo service apache2 restart
Certs, certs, certs
I'm really happy that EFF and others have put together Let's Encrypt. Certs give us two things: security and a third party vouch. Most registrars offer certs at a ridiculous cost. My DNS provider suggests a service that clocks in at about 100 USD per two years. I'm not paying that amount of money just to avoid being nagged by a web browser. Yup, that is essentially why I did this. As mentioned I had a secure enough self-signed cert providing the connection to my ownCloud site. I knew this, I trusted it enough but dang if FireFox didn't keep nagging me like crazy that it was making exceptions to view the site. I have a feeling Google Chrome will soon make it totally impossible to view a site that has a self-signed cert.
I guess the other reason why I'm very keen on getting my certs in order is that I want everyone in the world to install httpsEverywhere. Have you installed it yet?
Ooo, another idea: Instead of Banned Books week, how about SSL Awareness Week? Make sure your sites work https, hound the vendors that don't support it, tell your patrons to check for the s, and help them install the extension. That would be more of a service then tsk-tsking some Judy Blume books.
Don't get me wrong, How to Eat Fried Worms is great but we should be doing so so so so much more
Image via: https://en.wikipedia.org/wiki/File:Superfudge_book_cover.jpg