This blog, my landing page, wiki, and a few of my other Websites are now being served encrypted over HTTPS (see the lock icon in your address bar?), thanks to Let’s Encrypt. Along with TLS, I’ve enabled HTTP/2.
Hackers won’t find anything sensitive on my public Websites, but my private Websites (e.g. my ownCloud and Tiny Tiny RSS instances) have needed more security for a long time.
Enabling HTTP/2 was very easy, as HTTP/2 support is shipped with the ‘http2’ module in Apache 2.4.17 and later. While easy, it wasn’t obvious; I’ve written a tutorial for enabling HTTP/2 on Apache. Redirecting non-HTTP connections was trickier than I thought, so I’ve written a tutorial for HTTPS redirects with Apache’s mod_rewrite too.
I created my TLS certificates as part of Let’s Encrypt’s closed beta. I have an unconventional and complex Apache setup (something I’ll simplify, one day…) and because of bug 1531, a problem in an upstream library, I can’t use the official client the way it was meant to be used (i.e. “install” or “auth” commands). I don’t think I wanted an automated script editing config files on my servers anyway.
With a lot of fiddling, I’ve figured out how to use the official letsencrypt client reverse proxied through Apache, which will let me update certificates regularly without headache.