HTTPS with Let’s Encrypt

Following these instructions from Digital Ocean, it was really easy to get HTTPS set up for my flask app with Let’s Encrypt.

Since I already have git installed, the first step is to clone the letsencrypt tool:

sudo git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt

Move into the directory and run the tool to install a certificate:

cd /opt/letsencrypt
./letsencrypt-auto --apache -d example.com

The tool will install all of the needed dependencies. The next step is to set up auto-renewal, since Let’s Encrypt only offers 90-day certificates. Digital Ocean has provided a shell script to handle this process, but I modified it to remove the dependency on the bc tool. When the certificate is within 30 days of expiration, it will renew. The script can be installed via curl:

sudo curl -L -o /usr/local/sbin/le-renew https://gist.githubusercontent.com/jeffvautin/5d98b4f7d42ab29463e2/raw/6a4b01a4caba2efd1e3dbc97a33d2ef1f80ecf26/le-renew.sh
sudo chmod +x /usr/local/sbin/le-renew

Edit the crontab to add a recurring task:

sudo crontab -e

Then add this line to the configuration to run the update script weekly:

30 2 * * 1 /usr/local/sbin/le-renew example.com >> /var/log/le-renew.log

I’ve updated my server configuration post to include these steps. And I’ll be making a small contribution to Let’s Encrypt - they’ve made this process so simple.

POODLE Vulnerability

When I tested one server with the following link, it reported a vulnerability to the POODLE attack:

https://www.ssllabs.com/ssltest/analyze.html?d=example.com&latest

Digital Ocean also provides instructions for resolving this. You need to disable SSLv3 by editing a configuration file:

sudo nano /etc/apache2/mods-available/ssl.conf

Find the line starting with SSLProtocol and change it to:

SSLProtocol all -SSLv3 -SSLv2

And then restart Apache2:

sudo service apache2 restart

Retesting should indicate the server is now secure.