As of
Est. 

Set up Secure Internet Communication

What did I need to do to encrypt the data in transit and authenticate to my peers?

Communication on the Internet is a multi-layered story. Here I'll just cover what is needed to secure HTTP.

Transport Layer Security

HTTPS is secured HTTP. The protocol used to secure HTTP is TLS, formerly SSL. TLS is mainly about encrypting in transit and about authentication of the communicating parties. Cryptographic certificates are required for authentication. So you need to get one before you can communicate using TLS / SSL / HTTPS.

Crypto Certificates

The certificate certifies the identity of the certificate holder, and the protocols ensure that the holder can prove that the certificate was indeed issued to him. Technically, you can create your own certificate. These are called self-signed certificates and are pretty useless for authentication, but still useful for encryption.

Certificate Authorities (CA)

To obtain a certificate that is meaningful for authentication, you must have it issued by an authority. The authority itself must be able to verify your identity before issuing the certificate.

TLS Certificates from Cloudflare

With Cloudflare, I get my TLS certificates automatically. This is possible because Cloudflare knows ergberg.tk very well. After all, it provides the DNS servers for the domain.

In the security settings, I opted for the full (strict) model. This tells Cloudflare to use TLS on both sides: towards the end user and on the way to my server.

ClientCloudflareCloudflareCertificateOtherOriginServerLet's EncryptCertificate
Cloudflare between client & origin server

Cloudflare would also issue a certificate for the right side of , which could be used for the communication between Cloudflare and my origin server. But not for anything else because it is not a general certificate. The Let's Encrypt certificate has no such restrictions and can also be used for other communication relations. This is especially important for communications where my origin server is the client, such as secure mail.

Certificates from Let's Encrypt

Let's Encrypt offers a free service for TLS certificates. Their motivation is that everyone should be able to protect data in transit using TLS. The certificates are valid for 90 days, after which they must be renewed.

Let's encrypt also offers a software called Certbot that greatly simplifies the generation, installation and automatic renewal of their certificates. Installing Certbot was easy with Snap on my Ubuntu machine.

Before Let's Encrypt will issue a certificate for your domain, you have to prove that it really is your domain. Sure, I shouldn't be able to impersonate www.some_other.domain if it's not mine. To proof domain ownership, Let's Encrypt supports two different approaches:

  • HTTP-01 challenge: You need to install some files under the path .well-known/acme-challenge on your local web server. If they show up http://<your-domain>/.well-known/acme-chal­lenge you are the proven owner of <your-domain> as you can control the domain's web server.

  • DNS-01 challenge: Certbot asks you to add a special TXT DNS record for _acme-chal­lenge.<your-domain>. If it finds this, you are the proven owner of <your-domain>, since you can control the DNS records of the domain.

Both tests can be fully automated. For HTTP-01, Certbot temporarily takes control of your web server, e.g. nginx. For the DNS-01 challenge, it can control your DNS server remotely via your DNS provider's API. Unfortunately Cloudflare is not impressed with my .tk domain and blocks the API. Setting the records via the dashboard is less convenient, but it also works.

As a consequence, Certbot can not automatically renew my certificates through cron. Instead, I use the following command interactively before the certificates expire:

bash
sudo certbot -d "ergberg.tk,..."  \
--manual --preferred-challenges dns certonly
sudo certbot -d "ergberg.tk,..."  \
--manual --preferred-challenges dns certonly

Let’s Encrypt is a trademark of Internet Security Research Group. All rights reserved.