I've postponed this for eons but it has been the time to migrate the olea.org website to https
Concerned about the privacy, in 2009 the EFF launched the campaign Encrypt the Web aiming all the Web users to migrate to encrypted communications, concerning sysadmins, software programmers and users. Now I did the needed step for my main web server and since there are lots of better documentation on this I'll just comment briefly some practical details.
First, the tools that helped me with the process:
- Mozilla Observatory, a web application for auditing the https configuration of a given domain.
- Mozilla SSL Configuration Generator, another web application for helping you to fine-tune your website https configuration in the most secure way.
You should try both if you didn't yet. And thanks a lot to the Mozilla Foundation for creating them.
Second, the migration issues, because the auditing results are pretty bad: 🙈
- I'm not sure if my server changes would have some collateral effects in the other hosted webs. I'm not the best sysadmin. Let's see.
- One of the biggest problem of this migration is how old this server is: a CentOS 5 server which should have been migrated years ago. Still in my ToDo. I think the most negative points of the auditing are consequence of this.
- The other one is the CA of my X509 certificates. For some years I've been a promoter of CACert and I'm using this certificates for other services in my server but at this moment the CACert hasn't been able to get accepted their root certificate with the WebTrust Principles and Criteria for Certification Authorities and the internal crisis of the organization breaks all my hopes for a community driven certification authority X509 compatible. In practice this mean my current X509 certificate is not trustable for everybody who has not added the CACert root certificate by hand. Not a fun thing.
If you are reading these lines then is very probable you know about Letscencrypt which I really love too. This time I have two concerns with Letscrypt: the first this server is too old that should be migrated soon, the second is Letsencrypt is not designed to verify identities. The alternative seems to be to find a free (as beer) or paid CA providing hte verification service.
Well, I know this entry is not very useful for the most of the users, but I'm trying now to write more regularly and to document my routine technical progresses. And as the song says, «que ojalá os sirva».
PD: Finally I deactivated the apache redirection from http to https because using a CACert certificate broke my RPM repository and complicated the access to my web for some users. This is sad.