I’ve set up a CAA DNS record for my domains that allow it.Continue reading post "DNS: added CAA records"
I had to manually force renew the TLS certificate for my site (the thing that makes it encrypted over HTTPS) because of a bug in LetsEncrypt’s software.Continue reading post "#2674"
In playing with service workers, I set up a self-signed SSL certificate for my local development environment. I used instructions from debian.org. It was very simple, since I didn’t need the security involved with a real operating site. Creating the certs took a single command:
openssl req -new -x509 -days 365 -nodes -out /path/to/server/config/certs/sitename.pem -keyout /path/to/server/config/certs/sitename.key
You then just need to set things up in the server configuration (Apache in my case).
mod_ssl must be installed and enabled, which looks something like:
- My HSTS is too short. It considers less than 180 too short. The cert isn’t even valid for 180 days (90 for LetsEncrypt). My HSTS is actually only one day, and I will probably leave it on the short side until I’m sure things are safe.
- It is an SNI certificate, so it will not be supported by some old browsers. 94%+ is good enough for me when I still support HTTP.
My sites are now HTTPS-enabled with LetsEncrypt. It was easy to set up with Dreamhost’s panel. It was just a few clicks and some waiting. This is the first time my own sites have been available over HTTPS. I’ve been wanting to do it for a while, but it was kind of costly until the free LetsEncrypt became available. This brings my sites in line with the “HTTPS Everywhere” movement. I’ve also been wanting to play with the new installable apps forming standard for making web apps installable almost like native apps.
I had written a post before about how I’m setting my security-related headers. I’ve now added an HTTPS related header in a similar manner:
Dreamhost now supports LetsEncrypt even with shared hosting. LetsEncrypt provides free SSL certificates. I’m going to have to try it out on my domains. My plan is to make my visitor targeted domains have https as the canonical protocol but still support http for older browsers.