I remember several years ago looking at my site and thinking “ya know, it’s about time I got hip with this SSL thing”. Several days later, I was able to implement ssl on my primary site using https://www.startssl.com/. This took me a notable amount of manual effort to obtain the certificates from their site (Props to them, they use client certificates to validate users in addition to credentials, which is rather secure, if obtuse and inconvenient), and several hours of learning how to tweak my Apache configs to use them (I had a complex dynamic setup, and isolating what sites get what certs was not something I had built into that design). Success! Or not….I then had to go back through and fix various parts of the actual site to be consistent about loading everything from https, and to allow regular http calls where appropriate. It was a painful ordeal, but at the end of the day, I had a more secure site, and I had learned quite a bit about everything involved. (Nowadays it probably wouldn’t be nearly as painful with Puppet etc… but it’d still require manually obtaining the certs etc…)
Fast-forward one year, I had entirely forgotten about this effort, and the process involved. I left myself no documentation on what I did or how to renew the cert, and received an email letting me know that the cert was expiring in a month which I had promptly ignored, and now had a site with one of those big red X’s in the corner. I went back to StartCom to renew, and couldn’t even get logged back in (I forgot about the whole client certificate thing, and had a new laptop at that point). I put fixing the situation on the back-burner, and went several months before allocating some time to figure out where I went wrong. I was eventually able to remedy my expired cert, and removed that ugly X, but the process made me dread the idea of having to re-do this annually. However, being a bit of a cheapskate when it comes to technology, I resigned myself to my fate.
Fast-forward again to today, with a shiny new server and domain configured, Puppetized, and running Nginx instead of Apache I was feeling ready to tackle the SSL situation again. I had been reading about Let’s Encrypt for a while, and was excited to give it a try. All I can say is: wow. I added danzilio/letsencrypt to my Puppet module arsenal, dropped a few lines into my server’s hiera config, and put together an 8-line profile to wrap the ‘certonly’ defined type, and had certificates for multiple domains ready to rock. No pain, no manual effort and client certificates, and a shockingly easy setup (I hit one small snag with forgetting the ‘webroot_paths’ parameter that slowed me down all of 15 minutes). I’ll admit I struggled to tune my Nginx config to be just the way I wanted it for a day, but now that it’s all in place my domains redirect to https where appropriate, use a Let’s Encrypt cert, and will keep that cert valid for me with zero effort on my part thanks to the quality workmanship in the letsencrypt module. What a complete polar-opposite experience!
If you’re not using SSL yet: Let’s Encrypt – The future is now, and your site’s clients deserve some encryption.
