Changes between Version 21 and Version 25 of faq/security/setup-certificate
- Timestamp:
- (multiple changes)
Legend:
- Unmodified
- Added
- Removed
- Modified
-
faq/security/setup-certificate
v21 v25 6 6 By default, your web site does not communicate with the world using an encrypted connection. When you connect, it uses the "http" protocol instead of the "https" protocol. 7 7 8 We strongly encourage all members to change this setting so all communications is encrypted. Even if you don't think it is necessary, consider that all information you send to the site, which may include usernames and passwords, are sent in the clear unless you are using https. 8 We strongly encourage all members to change this setting so all communications is encrypted. Even if you don't think it is necessary, consider that all information you send to the site, which may include usernames and passwords, are sent in the clear unless you are using https. 9 9 10 10 Fortunately, the process of choosing to run an https enabled web site is fully handled in the members control panel: … … 12 12 * Log in via https://members.mayfirst.org/cp. 13 13 * Choose the "Web Configuration" section. 14 * Remove any domains from ServerAlias or ServerName that are a sub-domain of mayfirst.org (e.g. yourorg.mayfirst.org). You should only have your own personal domains listed (this is temporary until #12045 is resolved). 15 * Edit your web configuration and change the "Port" field to "auto". 14 [[Image(https-configuration.png)]] 15 * Edit your web configuration and remove any domains from the domain names section that are not properly working or have expired (if there are any). 16 * Change Encryption from "http only" to "https enabled". 16 17 * Click "Submit". 18 19 20 == What if I already have an https web site? == 21 22 Some members already have their own https certificates and keys. If you click the Advanced button, you will see them listed. 23 24 If you want to switch from using your own https certificate and key to using our automatic and free Let's Encrypt certificate and key, simply delete the path to your certificate and key from the TLS Key path and TLS Cert path fields. 17 25 18 26 == How does it work? == 19 27 20 You have several options when choosing to configure your web sites. Each site will have and does need at least one web configuration item.28 Our control panel is integrated with a free services called [https://letsencrypt.org/ Let's Encrypt]. They provide automated 3 month certificates free of charge. We have a regular scheduled job that will automatically renew your certificates every three months to ensure they are kept up to date. 21 29 22 == = auto ===30 == Using https with CloudFlare == 23 31 24 The best option is to use "auto." When your web site is configured to use auto, then:32 Some members have elected to use CloudFlare - a content distribution network/caching system - with their web sites, and have shared their experience using it here. Current CloudFlare documentation should always be referenced before making changes you do not understand. We can not directly support CloudFlare, but you may find these instructions to be helpful when using it in combination with the automatic https offered by the control panel. This is due to how these services may conflict with each other: LetsEncrypt attempts to issue updated certificates using a method called the "webroot" authentication method. This method places a specially named file in the `.well-known` folder in the root of your web site. Then the LetsEncrypt service looks for this file on your server (to validate the certificate request is legitimate), however CloudFlare may respond to request inaccurately, preventing certificate renewal from occurring. Adjusting configuration on CloudFlare to specifically prevent the service from interfering with or modifying these verification responses can corrrect this situation: 25 33 26 * A [https://letsencrypt.org/ letsencrypt] certificate will be automatically generated at no cost for all the domains in your web configuration (both Server Name and Server Alias). 27 * This certificate will be automatically updated every three months 28 * All requests sent via http will be automatically redirected to https 29 30 === http === 31 32 If you prefer, you can opt instead to have an http-only site by choosing http. 33 34 === https === 35 36 You may also wish to use your own certificates, in which case select "https" and specify the `SSLEngine On`, `SSLCertificateKeyFile`, and `SSLCertificateFile` parameters in your configuration that point to the appropriate files. If your web configuration has only an https item, you won't have an http site at all. Note that this means anyone trying to reach your site with http will get an "Error 404 Server not found" message. 37 38 === Both http and https === 39 40 You can also choose to have a different web configuration for http and https or control the redirecting in a more fine-tuned way. For sites that have https enabled with a certificate that they purchased or obtained themselves, their web configuration will have two items: one for each http and https. 41 42 == What if I already have an https web site? == 43 44 You can easily convert your site from an https web site to an auto web site. 45 46 If you have both an http and an https web configuration, you must first delete the http one. 47 48 Then, edit the https site, remove the SSL lines, and change it to auto. 34 * Log into your CloudFlare account and go to the Page Rules settings for your domain. 35 * Add a page rule, ahead of any possible redirects (i.e. potentially just make this the very first rule). 36 * Configure the rule as necessary. The important part, is that it ignores any requests for the `.well-known/` folder. For example: `*.workingdirectory.net/.well-known/*` for the URL, and the settings set the "Cache level" set to "Bypass".