Well you could do that. That would be the lazy solution, but definitely not the most reliable one.Just secure it through CF. No reason not to have small sites going through them.
Free CDN and simple SSL.
I usually just do the best of both, and generate a LetsEncrypt cert which gets installed on my origin webserver, and then set CloudFlare to Strict (Full) SSL mode.Well you could do that. That would be the lazy solution, but definitely not the most reliable one.
It is really easy to install your own TLS Cert. So why not do it? Why rely on a third party?
Using CF means trusting their every step and there have been huge issues in the past where it was really easy to do a Man-in-the-Middle attack on Cloudflare Certificates and they didn't even notice until a magazine published an article on it.
So besides you having to rely on Cloudflares reliability, they also have fucked up badly in the past which leaves the question if you really wanna trust them or simply do it yourself. Doesn't take long to install a Let's Encrypt signed Certificate.
Although I gotta say, I'd rather see a website with a CF Certificate than with none at all.
doGetting this error
/etc/nginx/dhparam.pem: Permission denied
sudo chown www-data:www-data /etc/nginx/dhparam.pem
sudo chmod 511 /etc/nginx/dhparam.pem
sudo chmod 777 /etc/nginx/dhparam.pem
)as well if you want to and if you wanna make sure anyone can read-write-execute the file. It's not a secret file, so it doesn't really matter who can read it.Why even recommend 777?do
sudo chown www-data:www-data /etc/nginx/dhparam.pem
sudo chmod 511 /etc/nginx/dhparam.pem
Though this shouldn't happen anyways, because the mother instance of nginx is being run by root and the children (workers) only by nginx
But you can set the permissions to 777 (sudo chmod 777 /etc/nginx/dhparam.pem
)as well if you want to and if you wanna make sure anyone can read-write-execute the file. It's not a secret file, so it doesn't really matter who can read it.
chown -R www-data:www-data /var/www/html
chmod -R 755 /var/www/html[CODE]
Look at your PMs. I'll help you solve this in private messagesThank you guys, now I have no errors but my site is not showing the certificate, so it appears as not secure lol
Wow very nice, didn't knew it could be free.. some devs tried to fool me with some BS costs...
COULD YOU ADD TUTORIAL FOR WINDOWS? GREAT CONTRIBUTION
Could do that, but that also means that this random website now has access to your private key and could technically read all your traffic.SSL For Free - Free SSL Certificates in Minutes
Free SSL certificates issued in less than a minute, for one or multiple domains, supporting wildcards and ACME with tutorials.www.sslforfree.com
This is the same service, certs from Lets Encrypt, but done via webpage so you don't have to use that tool. Much easier if you're not competent with linux.
You need to be able to edit the DNS records for your domain to verify, thats the easier one IMO.
They export the private key, but not a PFX file, you will also need to download OpenSSL for Windows to convert the cert + private key to a PFX so you can import it into IIS (If you're using Windows IIS for your webpage)
They offer other kinds of certificates by now as well. But that doesn't really matter for an OT.These are pretty basic certs that only last a short period at a time, not every hosting provider support it because it CAN stuff up.
The "BS cost" is probably like 10 bucks for a 12 month certificate. and I wouldn't say you're being fooled for paying for a proper certificate, but this will do the job,
Further to this, many WHM cPanel hosting services come with something called AutoSSL, which is similar to this, free SSL Certs for webpages that renew every 3 months.
It's the same CA. They don't save the Private key, it generates and downloads on the spot. You can also choose to upload your own CSR of you want to.I don't know. I wouldn't trust them.
Self signed certificates will come up as untrusted to everyone but you.to be exact even self-signed certificates can be proper if made correctly, which is not hard.
Yes, but they last 3 months, which means to you need to renew it 4 times a year instead of maybe 1 every 2 years.And LetsEncrypt certificates are "proper" certificates as you call them
Well I didn't read it that well I just assumed they would only use API to issue a certificate for you, which now thinking about it, wouldn't make alot of sense or be possible that easily.It's the same CA. They don't save the Private key, it generates and downloads on the spot. You can also choose to upload your own CSR of you want to.
Taken from the web page:
- Let's Encrypt is the first free and open CA
We generate certificates using their ACME server by using domain validation.- Private Keys are generated in your browser and never transmitted.For browsers which support Web Cryptography (all modern browsers) we generate a private key in your browser using the Web Cryptography API and the private key is never transmitted. The private key also gets deleted off your browser after the certificate is generated. If your browser does not support the Web Cryptography API then the keys will be generated on the server using the latest version of OpenSSL and outputted over SSL and never stored. For the best security you are recommended to use a supported browser for client generation. You can also provide your own CSR when using manual verification in which case the private key is handled completely on your end.
That's literally what I said.Self signed certificates will come up as untrusted to everyone but you.
of course you can.can i do this using apache?
ssl_ciphers
in nginx would be SSLCipherSuite
in apache I belive.ThanksGreat tutorial For anyone that doesn't want to deal with too much technical stuff: You could also use SSL For Free - Free SSL Certificates in Minutes (https://www.sslforfree.com/) which issues Let's Encrypt Certs for you. You just need to proof it's your domain by uploading a validation text file or DNS validation
Thanks
Yeah pink_panther already said the same thing.
Though generating the certificate is the easiest part of the "technical stuff" of including the certificate. You still got to configure your webserver accordingly.
But as I already said, in my opinion you need to learn how to deal with the "technical stuff" anyways. Taking shortcuts the whole time won't get you anywhere. If you want to make an OT, do it right! And you only have to follow the tutorial step by step. It's really nothing you need experience for
but before installation ssl certyficate Site working 100% just no https what I do wrong?