search

BroCorpLabs / dragdrop.site

a dead simple website deployment service
http://dragdrop.site
2 stars 0 forks source link

Configure SSL/TLS certificate #8

Open andreasvirkus opened 5 years ago

andreasvirkus commented 5 years ago

A service like Let's Encrypt is free and very easy to set up :)

I'd also argue that it's crucial for a website handling other people's source code.

prnthh commented 5 years ago

Hey, this is more of a TODO on my end.

I agree completely that LetsEncrypt is the way to go for this. I believe Certbot has excellent integration with nginx and will serve up certificates to any future CNAME configurations just as well.

prnthh commented 5 years ago

I've now fixed SSL on the TLD but I haven't figured out how to do it for the subdomains yet. I guess I'll have to generate an additional SSL cert for each subdomain. I want to know what the best practice is for doing this en masse.

andreasvirkus commented 5 years ago

So there's two main ways to go about this:

Some pricier cert providers also allow the use of wildcards (*.dragdrop.site)

Edit: looked into it some more, and learned a couple of things myself as well. I stubmled upon this useful thread: https://community.letsencrypt.org/t/wildcard-domain-step-by-step/58250/4 and there's a link to this certbot-auto site, which also lists specific instructions: https://certbot.eff.org/lets-encrypt/pip-other So as the top banner states:

Trying to get a wildcard certificate? Please use the dropdown menus below to get instructions specific to your system, and read those instructions carefully.

Another source: https://stackoverflow.com/a/49487656/2803743 So if your DNS provider provides an API to update TXT records, you should be good to go. Currently certbot seems to support these providers for wildcards:

certbot-dns-cloudflare
certbot-dns-cloudxns
certbot-dns-digitalocean
certbot-dns-dnsimple
certbot-dns-dnsmadeeasy
certbot-dns-google
certbot-dns-luadns
certbot-dns-nsone
certbot-dns-rfc2136
certbot-dns-route53

Hope that's of some use :)

Edit (2): The TLD atm doesn't have an http -> https redirect as well. Also you could change the website's link in the repo description on GitHub to point to https:// directly.

For the redirect you could go with:

server {
    listen 80 default_server;
    listen [::]:80 default_server;
    server_name _;
    return 301 https://$host$request_uri;
}