Implementing HTTPS with Certbot

[00:00:00]
>> So now we talked about the importance of https. And it kind of makes your website a real website, not just a toy one. So let's go ahead and implement it. To do that, we're gonna use a really nifty service called certbots. And then we're gonna install certbot.

[00:00:18]
It's gonna do all the work for us. Where in the old days, we had to do a lot of copy pasting, NGINX configuration. It does all that for us. Which again, is the benefit of being on this paved road of Ubuntu and NGINX, a well-supported and well-trodden path.

[00:00:32]
Then after that, all we have to do is open the firewall for ports. What's https, anybody?
>> Not 80.
>> Not 80.
>> It's 443.
>> 443, that's right. It's one of the common ports. So if you click on the link or navigate to certbot.eff.org, And I just sorta kinda through instructions.

[00:00:54]
Certbot is run by the Electronic Frontier Foundation, if you've never heard of them, very, very good organization. They fight for the users on the internet. They open lawsuits and privacy and things like that. It's probably one of the few charities that I donate to every one of my paychecks cuz I believe in their mission.

[00:01:11]
And they're doing something like this. So if you go on Namecheap or DigitalOcean, they'll be like, hey, we can set you up on an https certificate, but it's gonna cost you money. This will not cost you any money. So it's fantastic organization donate if you'd like, but let's go make use of their software right now.

[00:01:31]
So I'm gonna click there. And it makes it so handy. So my HTTP website is running on nginx and look at all these other things. We could be running Apache Troxy plus we're not, nginx on [SOUND]
>> Ubuntu.
>> Ubuntu 20. And it walks you through all the steps.

[00:01:58]
So this uses something called snap. And I played around with snap when I was creating this course. I didn't find it super reliable but we gotta use it this one time to install Certbot. Snap is just a package manager, just like APT. But I'd say it's a little more janky.

[00:02:14]
So we don't use it for most things, but we use it for this one. So we can just follow the instructions. So we're gonna SSH into our server, we're probably already there. We're gonna install snapd. It may already be installed by default. And then we're gonna just use snap to install certbot.

[00:02:35]
So I think snap is installed by default, but I'm gonna copy these commands just to make sure it's up to date. So SSH into my server, Yeah, I'm lazy, I'm telling you I'm lazy. I will go through all my entire history to avoid typing three lines. So clear, paste this command sudo snap install core, sudo snap refresh.

[00:03:10]
This might take a few seconds All right, Give you a second there. So next we're gonna remove certbot. I don't think it exists already, but, let's just be sure. Removes certbot, actually I know for a fact that doesn't exist yet, but just in case. Maybe that's sudo, just saying removed from apt, so sudo-apt-gets remove certbot.

[00:04:04]
Let's double check I'm reading these instructions correctly. Yeah, try that, yeah, it was installed, but doesn't hurt me. So now you snap that package manager. We say sudo snap install classic certbot All right, it's installed, but it's not quite running yet. So we'll jump back here. Or we're just gonna make a logical link, that's the ln.

[00:04:45]
We're gonna link the snaps, the binary of certbot/snapbin, bin is binary, certbot to ourselves, the one that we own, /user/ binary, bin/certbot. Pretty easy. If you wanna see the man Ln, just make links between files, nothing fit on Windows. It's like create short term equivalent of that. So now we're gonna put this into easy mode.

[00:05:21]
Sudo certbt--Nginx, it's gonna do all the work for us. It's gonna ask for an email address, I'm just gonna say jem@gemyoung.com or you can use your new domain name if you have the email forwarding setup. Did I read the term service? Nobody reads the terms of service. Do I wanna sign up for the newsletter?

[00:05:51]
No, I do not, sorry, FF, I love you, but I don't want another newsletter. And it's saying, because it's reading our Nginx configuration, it sees we have two different types of servers. We have our default server. So in my case, it's gemstock.lol. And we have a subdomain we created, too.

[00:06:07]
Do we want certificates for both? Of course we do. So we're just gonna leave it blank. So what this is actually doing, because I've done this the hard way back in the day, where I've had to do this all by hand before certbot came around. Is what it's doing is one it's adjusting our Nginx configuration actually let's go look at it, don't just take my word for it.

[00:06:35]
Let's take a look at what it was doing so sudo cat /etc where nginx is sites-enabled and let's look at the full stack front end one. And there we can see that certbot went in and changed our Nginx virtual host configuration. It didn't touch this part, but it did add the 443 listing on.

[00:07:09]
So it created 443 port it says ssl, secure socket layer is the encryption technology. It adds a certificate. And a .pem is it's sort of similar to an ssh key in terms of it's used as a key, but pem files are used as certificates in this case. AWS I think still uses pem files instead of ssh keys, sometimes just a lot of background there.

[00:07:37]
And then it created a certificate for us, created a private key. And then it did something really nice which is added a redirect. So if someone connects to us on ports 80, it's gonna redirect them to the port 443, this is a nice to have. That way you're ensuring people are always using HTTPS connection.

[00:07:56]
But really what we missed out on is What certbot does is it creates a certificate, it puts it in a certain directory, then certbot as a certificate authority. Someone that puts a stamp on your website that says like this is an official website, is it creates a file just to make sure you own the website.

[00:08:15]
Something you don't think of is, yeah, what if I create a certificate for a website or I don't? By that point, I can intercept all the traffic cuz I'm just decrypting all their traffic. So it creates a temporary file on your file system. Make sure that you can connect to it and just validates that you actually are the website requesting it.

[00:08:32]
That's why we had to do all the website stuff earlier, where I said it didn't really matter until we got to HTTPS, then we actually need a domain name. Cuz you can't do HTTPS over just an IP address. Pretty nice. So let's test automatic renewal because certificates have to be renewed over time.

[00:08:51]
You can't just have one in perpetuity, it has to run every so often. Certbot will do this for us, but we just wanna make sure that it all worked out. So we'll do a simulated registration here. All right, let's check this out. So let's get a jump start that lol.

[00:09:06]
We forgot to open the port. And all that certbot will not do that for us, which is probably good. You don't want something messing up your firewall. Fortunately, uncomplicated firewall makes it really easy. So we can just say sudo clear, sudo ufw allow https And we're gonna check sudo ufw status just to be sure, we see port 443 is now open.

[00:09:44]
So let's give this a shot again. Hey, it's all working too, what do you know? We got that nice little certificate there? What do you mean look at it. So that's that's pretty nice, that It does so much work for us. So all the work that goes on the background all the tweaking and moving around a file certbot does all that for us.

[00:10:13]
So again EFF is a really good organization it helps us as software engineers, it really looks out I recommend donating to them if you have the time and the money.