.. title: Let's encrypt
.. slug: lets-encrypt
.. date: 2018-02-17 12:47:02 UTC
.. tags: info, web, encryption
.. category: 
.. link: 
.. description: 
.. type: text

Ever since I've set up the `new server <https://cobra.pdes-net.org/posts/new-server.html>`_ for this blog, I've wanted to make the switch from plain HTTP to TLS-encrypted HTTPS (if you think HTTPS is for online shops and banks only, `think <https://https.cio.gov/faq/>`_ `again <https://cheapsslsecurity.com/blog/http-vs-https-do-you-really-need-https/>`_). 

This transition turned out to be much easier than I thought. Hiawatha, our web server of choice, comes with a script that takes care of registering the site at `Let's Encrypt <https://letsencrypt.org/>`_ and requesting certificates for the associated domain(s). Chris Wadge, the maintainer of Hiawatha for Debian, provided an excellent `tutorial <https://dotbalm.org/lets-encrypt-with-hiawatha/>`_ guiding through the few steps necessary to configure Hiawatha for serving HTTPS content. 

Since I had to configure vhosts for the certificates anyway, I took the opportunity to set up some proper subdomains. For example, this blog can now be reached at `https://cobra.pdes-net.org <https://cobra.pdes-net.org>`_. 

After a bit of tweaking (setting HSTS to one year), the security rating of our site is flawless:

.. image:: ../images/qualys.png
   :align: center