An nice (unrelated) pic to start 🙂

After dusk pic are pretty.

A post shared by Michele Mattioni (@mattions) on

So the big question… Is your site running HTTPS? If no, you should, if yes well done!

Prologue

This personal blog has been moved from wordpress.com into a personal hosting powered by dokku long time ago. While this has been proved to be pretty nice, I honestly think that wordpress has reached a maturity level, where you can just get away running the software on a PHP powered website (like an Apache with the PHP module or whatever), switch on the automatic updates, and be happy with that.

Basically, install once, and then forget about it.

So while doing the upgrade manually via git it’s not a big issue (here is the little README I wrote to remind myself of the procedure), you still have to do the upgrade once in a while.

All this was always feeling a bit as wasted effort, until I decided that I should have moved the site into HTTPS.

Getting these pesky HTTPS certificates

In few words: HTTPS encrypts the traffic that goes from your web browser to the server that handles the request; to perform the encryption a certificate, provided by the server, it is used. The legitimacy of the certificate is provided by a root certificate authority. While you could issue a certificate by yourself, which would be valid and be perfectly valid from a technical standpoint, your site would still be marked not secure. The catch is that Firefox/Chrome and the other web browsers do come with a list of “root authorities” that they recognise as legit. Therefore, your technically valid HTTPS certificate is not connected to any of this “root” authorities, and therefore not recognised by the web browsers.

For quite he only way to get a HTTPS was to buy one from a seller, who will be able to issue one, connected with their root authority. This usually was either for a certain domain, or a wildcard for all the sub-domains and it was costing around 20/30£ per year, depending on the seller. Note that the validity was usually for a year, therefor you had to manually get a new certificate, and do the reinstall, which usually meant run some commands, and then add it to nginx or apache to be able to serve from https.

So this process was pretty labour intensive, it was costly and most importantly, when the certificate was going to expire, the website was going to be “untrusted” the red bar with the broken lock in the address bar was showing up.

Let’s Encrypt to the rescue

Let’s encrypt it’s a root certificate authority that is able to provide HTTPS certificate. Their goal is to make the internet safer and more secure, therefore they provide the HTTPS certificate for free. More over, while they do not charge for the certificate, they also provide a way to programatically get a certificate and renewed it, in a very easy and straightforward way.

What’s super nice, it’s that dokku has a very nice plugin able to make all the process automatic for the user.

In my case, given that I have already wordpress deployed via dokku I just had to run the following command:

$ dokku config:set --no-restart myapp DOKKU_LETSENCRYPT_EMAIL=your@email.tld

This creates the certificate.

Then you have to encrypt your app. It’s just one more command:

dokku letsencrypt myapp

This one sets up the nginx configuration to re-directs the request to the https site for myapp.

It basically worked like a charm on the first go.

There is also the nifty command

$ dokku letsencrypt:cron-job --add

which will create a cronjob for dokku user to re-fetch and renew the HTTPS certificate in an automatic way.

Pretty neat, and now totally worth it to deploy the wordpress via dokku.