Full Stack for Front-Ends Part 2 Installing HTTPS certificate

[00:00:00]
>> Jem Young: This is how I did it for my server. Acme-tiny, which is actually a shorter way of doing it manually. But if we go to acme-tiny you will see the steps that we used to have to do. So we have to go through here, create a public key using rsay, we have to do all these things.

[00:00:20] Put this here, put it in the back. So you have to do all this, install your certificates. So if you look at it, if my EngineX config on jemyoung.com, it looks something like this. It's pretty complicated. We don't have to do that anymore because smarter people, good people of the Internet created something called certbot.

[00:00:37] Certbot does all this for you and it's amazing and I wish it was around when I was setting up HTTPS. But you get the benefit of doing things a little bit later. So we're gonna use Let's Encrypt. Let's Encrypt is an open standard, and it's free for getting HTTP certificates.

[00:00:54] What they are is they're an authority. They say, when I registered gem.party, gem.party is who he says he is and we vouch for him. That's essentially what an authority does. We hear a lot of errors in the news these days with bad authorities, people like that. Essentially people that don't follow protocols so that I can register HBS, Netflix.com.

[00:01:16] And we'll be like, yeah, you're Netflix.com, cool, which is dangerous because we trust these authorities to say you are who you say you are, and if an authority can't be trusted then the whole system's broken. Yeah, anybody wanna know Let's Encrypt? You've heard of it. Cool, yeah, good organization, if you have time, a little bit of money to donate to them, it's a great cause and it makes the web just a little bit safer, let's people not eavesdrop on your connections as much.

[00:01:44] So if we go to the certbot homepage real quick, see that it's very, very friendly. In fact, they make it as easy as possible. You can pick, say we're using Apache on say, Ubuntu. It gives you instruction on how to do that for most of the modern operating systems.

[00:02:04] That is really, really cool. Advanced, yeah. So there's kind of no reason now not to have HTTPS now. And if you still have trouble, you should do it cuz you have to. If you wanna use service workers which are awesome. So let's certbot to add an HTTPS certificate.

[00:02:23] So we get the sweet lock icon. So first let's add the certbot repository.
>> Jem Young: So what we're doing is we're giving apt to the repo. Just a new address to look at. So we say like, who's certbot? We don't know. So when we add this in it just gives it a link to it.

[00:02:42] Then when we update, we're gonna pull in all the new repository information. And for long things, feel free to copy and paste for something very long. Most of the time, most studies that I've seen show that if you write something yourself, you're more likely to memorize it. So I don't generally encourage copy paste, but if you're adding a repo it's okay.

[00:03:03] So once you add the repo, if you run apt update just to pull on that repo information. And then run apt install python-certbot-nginx to solve the whole package. In the meantime, any questions about HTTPS? Kinda harped on it pretty long time in the last course, but any extra questions?

[00:03:29]
>> Jem Young: Great question, nobody. [LAUGH] You're thinking, why doesn't everybody just go HTTPS, why is it a big deal if it's this easy? The thing is, HTTPS requires encrypting and decrypting all those connections. You have to do that on the fly. That's not trivial. For someone like Netflix that does 34% of the world's traffic, that extra CPU time is a lot of money.

[00:03:52] It's a lot, a lot of money. And sometimes you have to add more servers just to handle that. So it's not as trivial as you might think to be like, why isn't every site on HTTPS? It takes work and it takes forethought to do these things. So if that's why you're thinking, it's that easy.

[00:04:07] Server admin should just do this. It's something to keep in mind when you go into HTTPS, but it's just a cost you have to pay for being part of the modern Internet.
>> Speaker 2: So you'll still need to buy certificate? Even if you use certbot?
>> Jem Young: No, it's free.

[00:04:21] That's the great thing about Let's Encrypt, is it's free. No cost. Historically, you've had to purchase them from authorities, cuz they're like, we're an authority, Verisign is an authority, and you had to buy a certificate from them and then you had to renew that every year, and things like that.

[00:04:36] Let's Encrypt was the game changer for HTPS because it's free. It's all backed by probably all the big tech companies cuz they all agree a safer web is a more secure web. All right, so I'm gonna add this in. I'm gonna copy and paste, don't judge me.
>> Jem Young: Nice, next step, apt update.

[00:05:20]
>> Jem Young: Awesome, and let's apt install, sudo apt install python-certbot. So installing the Python that we need with certbot with the nginx plugin. If you just install certbot, it won't have the nginx plugin which is the one we want, makes it much easier.
>> Speaker 3: What's in the docs from the certbot site?

[00:05:48] It has you install software properties common? What is that we don't need about that?
>> Jem Young: That comes with DigitalOcean.
>> Jem Young: There is a lot of shared binary, so let's say a lower level like C libraries. Things that a lot of software depends on. It's installed by default on DigitalOcean.

[00:06:05] But they always assume, and it's a good assumption, that you're on a fresh server, you're not on Amazon, or DigitalOcean, or Linode or things like that. Great question though.
>> Jem Young: All right, everybody here with me so far? About to get fun. Well, fun for me. So let's install certbot.

[00:06:25] So sudo certbot --nginx. So we're gonna install certbot with the nginx plugin. So here, sudo certbot --nginx. And it's probably gonna ask you some questions. Enter email address, whatever. It makes you do it, jem@netflix.com. Agree? No, I am not willing to share my email address. And because that earlier stuff where we added the server name into the nginx config, it just pulls it in there for us, which is really nice.

[00:07:12] Cuz we'd have to do that anyways eventually, so might as well do it early. And let's leave it blank. So I want a certificate on jem.party and www.jem.party.
>> Jem Young: So for this it's asking, if you hit HTTP, your server, do we wanna redirect automatically or do we wanna just let it through?

[00:07:41] We're gonna say redirect because we wanna make sure all traffic coming to our server is HTTPS only. So hit 2.
>> Jem Young: Nice, this use to be an hour. Originally for this block, I had an hour scheduled to do HTTPS 'cuz it's complicated. Now, what is that, 3 minutes?

[00:07:59]
>> Speaker 4: Wow.
>> Jem Young: But as we should always do, let's just go through and let's talk about what certbot is doing. So first it asked for your email, unrelated to the certificate, agree to terms, blah, blah, blah. So it's saying, again, what do we want HBS on? jem.party, www.jem.party.

[00:08:18] Fun fact, there are actually two different domains. People don't really realize that www is something different. But for the most part, for most of the Internet you treat them as one domain. So we went on both.
>> Jem Young: And it's creating a challenge, so what that is, is it's writing through nginx temporarily.

[00:08:34] It creates some unique URL and it responds with a file, a challenge file. So essentially it's like a key and what it's doing is, let's encrypt a saying, all right, I'll hit your box, I wanna make sure you have the challenge. And if you have the challenge and it's accepted, the handshake is good, you're actually who you say you are.

[00:08:52] So this what prevents me from making a certificate for, I don't know, Netflix.com or something like that. Because I don't control of that box, I can't make a certificate for it. That simple. Does that make sense? Because it's a little complicated. So what it did is it temporarily made a URL.

[00:09:09] So jem.party/, I don't know, we'll just call it foo for now. Foo validation. It wrote that into my nginx temporarily, restart the nginx for me. That way when Let's Encrypt calls jem.com or jem.party/foovalidation, it returns a file automatically for me, this key file. And then once that's done it's saying, okay, you have control of your serve you are what you say you are.

[00:09:32] We're gonna install a certificate for you, and then it cleans all that up for you. We used to have to do this by hand. You used to have to write these and have the correct challenge and then clean that up, now certbot does that for you. If that makes sense, any questions at all?

[00:09:47] Now do you understand why does this take a long time to do, cuz you had to try to get a key and a validation, now we don't do it anymore. Then we're saying we wanna redirect our HTTPS traffic to HTTP, and that's it. And if we wanna do SSL Labs, I know it's probably gonna give me like a B for my rating.

[00:10:20]
>> Jem Young: Nice, what did I get? Come on B, come on B, B+? [LAUGH]
>> Speaker 5: What does the score mean?
>> Jem Young: It's just saying how secure you are according to their metrics, like what kind of ciphers you are using, arey ou using the correct encryption and things like that for your key.

[00:10:38] Because again, there's different levels of encryption. It's easy to think of HTTPS as this broad one and done. But depending on how secure you want your data to be, how easy it is to break in, how easy it's not, you use certain levels of encryption. So we can make it really, really simple, as in it's just a basic encoding that's easy to break.

[00:10:57] It'll be fast, but it won't be that secure. That's pretty much what they're gonna rank me on right now.
>> Speaker 5: Which might be good if you don't care that much about having it super secure.
>> Jem Young: Yeah.
>> Speaker 5: And don't wanna spend the extra processing power.
>> Jem Young: Yeah, exactly.

[00:11:13] And it's like SSH key, you can generate a, I don't know, like an 8098 massive, it takes for ever to hand shake, it's super encrypted but there's diminishing returns on encryption. Like there's only so much that's gonna do you any good. I don't think the NSA is trying to break into jem.party, [LAUGH] but if they are they're probably already in, like what am I gonna do?

[00:11:37] [LAUGH] And I'll just let this run. A B, that's not bad. And we got a B because the default cypher suites we're running are not that strong. They're okay. I'm gonna leave it alone for now because we can get into key cryptometry a little bit later if we really want to at the end.

[00:11:56] But for now B's okay, I'm not running credit cards, I'm not serving anything important, B's good enough. And hopefully, why is it so slow? That's not good, that is so slow, it should be done already. Connection timed out, something happened. Maybe it didn't redirect properly. But we will find out.

[00:12:24] And now I've got this sweet, sweet icon. If we go into Chrome dev tools, I believe it's press Security, we can take a look at the certificate. I can't make that bigger, I'm sorry. But pretty much, we have Let's Encrypt authority. They're the ones who say, jem.party is who they say they are, yeah.

[00:12:52]
>> Jem Young: It's frozen,
>> Jem Young: [LAUGH] That is frozen, I don't know why.
>> Jem Young: There we go. Okay, is everybody here?
>> Speaker 5: Question, maybe I missed it. Do we do anything to have any sort of redirect from HTTPS to our party, or is that just from the Internet itself? Sorry, to our website.

[00:13:22]
>> Jem Young: Just from the Internet to our website. That is a excellent point. So remember when we did the proxy pass for proxying traffic to our Node server? We could tunnel that as HTTPS. As in we just let that traffic pass through, we don't decrypt it. You could do that.

[00:13:38] It's a bit complicated if we want to handle HVS within Node itself. It's better to let all the traffic terminate at nginx and then just pass through all the traffic encrypted. But let's say you had, I don't know, you want to run a TOR server, or you wanna run a secure server that you don't want people eavesdropping on.

[00:13:56] You can tunnel all your traffic to your database to wherever you want as HTTPS, but in general it's kind of a headache and it's better to let it terminate nginx cuz it's pretty fast to be coding. But great question, though. So everybody is here so far, right? HTTPS, we're good?

[00:14:13] If you're not, let me know. We have time-
>> Speaker 5: I'm doing endless spinnings like you were, but no.
>> Jem Young: Have you started doing HTTPS manually?
>> Speaker 5: No.
>> Jem Young: Yeah, I noticed that, too, it wasn't redirecting, which we will look into in a second. Now it is.
>> Speaker 5: That's great.

[00:14:29]
>> Jem Young: I think it just had a cache, it cached. It doesn't know to redirect, but once you do it once it should be okay. Okay, we're here, HTTPS, we have to lock.
>> Speaker 6: So in trying to set up the certbot, if it says cannot find the virtual host matching domain, blah, blah, blah, does that indicate problem with linking the domain to the IP?

[00:14:55]
>> Jem Young: Yeah, generally, it's saying it can't, well you set up nginx and you add the server name to your sever named block. And you save that and it's all good.
>> Speaker 6: I don't think it's all good.
>> Jem Young: Okay.
>> Speaker 6: It should be showing a generic nginx thing if you go to that.

[00:15:12] Like if you type in the domain, it should show you a generic nginx thing, right?
>> Jem Young: So if you started the Node server, it should be hitting, you should see, I'm a blank slate from the notes already.
>> Speaker 6: Okay, and that's not a time thing, like any time to catch up, it's an issue?

[00:15:26]
>> Jem Young: [CROSSTALK] I will walk though it during the break.
>> Speaker 7: Marius had a question in chat.
>> Jem Young: Is redirect working for you guys? Marius, he's asking is the redirect working? HTTPS is manually working. Yeah, I think when we hit the site manually before, it just cached that response in our local DNS cache rather than taking a redirect.

[00:15:46] So if you type in HTTPS manually and then now you try to go to jem.party, it's going to serve out the correct version, it's just cached. If you wanna try the incognito window that's probably a better way to make sure it's working actually. jem.party, yeah, there we go.

[00:16:06] And we will talk about caching in the next instance. And if anybody's groaning because they know caching is a hard problem, one of the hard problems of computer science is cache and validation. All right, high five yourselves because, like I said, that used to be a very, very tedious task.

[00:16:27] Now it's nice and easy. But we have to make sure our certificate stays up to date, because you don't have a certificate of perpetuity. It's gotta be able to renew itself, which certbot will do for you. So let's do a dry run just to make sure it's working correctly.

[00:16:43]
>> Jem Young: sudo certbot renew --dry-run. And about every, I wanna say three months or so, you have to renew your certificate just to make you are what you say you are. You're the owner of the website.
>> Jem Young: Awesome, and certbot set up, it's gonna renew correctly once we set it up with a job to do that.

[00:17:22] That's pretty nice. And again, it did the same thing, it created an authentication URL. It does that for you, it creates a key file. Let's encrypt handshakes with that, and then it deletes that for you. So you don't see any of that mess in your nginx config, which is really nice.

[00:17:41]
>> Speaker 8: Does it use the e-mail to remind you that that's due, or?
>> Jem Young: I don't know. I haven't used cerbot, maybe like a month from now. So my certificates aren't due for renewal for another two months. That would be nice if it does. That would be really useful.

[00:17:56] I don't know if it does, for now. Great question, though. Okay, Internet high-five. You did it. What used to take people a long, hard road to do, now all the traffic is jammed up already secure, just the way it should be. We can party on.