HTTPS with Certbot
The goal
Sending private messages
Over the open internet
With a trusted audience
HTTPS
Something.. Something.. Secure!
Tells us that we should encrypt
By using TLS
So what's that?
SSL/TLS
SSL -> TLS (deprecated since 2015)
Something.. Something.. Secure?
Yes!
TLS
Establishes a secure connection
Only requires one-sided trust
Establishes trust with a certificate
But who signs the certificate?
Self Signing
You can sign your own!
But nobody will trust you
Not easier than other methods
Who can the audience trust?
CA
Certificate Authority
Trusted by your audience
Grants certificates
But how?
ACME Protocol
Automatic Certificate Management Environment
For applying for certificates
Open standard
Client and server architecture
So how do we apply?
ACME Process
Create account
Make signing request
Verify ownership
Install certificate
ACME Providers
Server side of the ACME protocol
Let's Encrypt was first
Buypass Go SSL
Short lifespan
Certbot
Client side of ACME protocol
Developed by Let's Encrypt
Fast, free, and easy
Other alternatives exist
How to use Certbot
Install certbot
Run certbot
Have HTTPS
The hard part..
Installing certbot
sudo dnf install -y python3 augeas-libs pip
sudo python3 -m venv /opt/certbot/
sudo /opt/certbot/bin/pip install --upgrade pip
sudo /opt/certbot/bin/pip install certbot certbot-nginx
sudo ln -s /opt/certbot/bin/certbot /usr/bin/certbot
sudo systemctl stop httpd
sudo certbot
Demo
Summary
We used certbot to get a certificate
Signed by Let's Encrypt with the ACME protocol
We can establish TLS connections with that certificate
We can run HTTPS on that connection