Yesterday, I wrote about how I set up the website hosting the content you’re currently reading. The setup didn’t include HTTPS, so today I’ll write a quick note while I’m setting that up.

Let’s encrypt

Other than a slogan, “Let’s encrypt” is also a certificate authority. In a nutshell, it’s a free and easy way to setup up SSL/TLS, which is what HTTPS needs in order to work. The nginx docs come to the rescue again, when looking for a guide to set Let’s encrypt up.

As a side note, SSH-ing to the EC2 instance I created yesterday for the server was hanging. I had the presence of mind to realize that my IP might be changing, and indeed that was the problem. After poking at the security group for the instance and changing the only allowed SSH to my current address, it works again.

As another detour, I started customizing the prompt of the shell I get, after I SSH into the machine. I feel it’s like when you go to put fuel in your car, but you end up washing it too. Unnecessary, but those are the small things in life, I guess.

I’m using “PS1=’[\W \A]$ ‘”, in case you’re wondering, which is, e.g., “[~ 10:05]$ “ when I login.

Anyway, distractions aside, the process of following the guide is straightforward. On success, I get a notice including:

“Your cert will expire on 2022-07-13. To obtain a new or tweaked version of this certificate in the future, simply run certbot again with the “certonly” option. To non-interactively renew all of your certificates, run “certbot renew”.”

I’m writing this down here, so I don’t have to Google it, once renewal time comes knocking. (Actually, never mind, see Automatic renewal of certificate.)

There’s also a note encouraging me to setup regular backups of the Let’s encrypt configuration directory. Since I have zero hygiene of creating backups at the moment, I’ll pass on it, but it’s a good future task to attempt and write about.

The last part of the note encourages me to donate. I am always trying to heed such calls, but going to the site suggests a default one-time donation of $100. That’s a little steeper than the $5 I was ready to give. A cursory check indicates that certificates are an average of $60/year, but still, single site certificates like what I need are as low as $5/year.

So I decide to pay that, plus some extra for the convenience of setting the whole business up, so I end up donating a one-time $10, counting on my future generosity to top it up occasionally.

Automatic renewal of certificate

I’ve been exposed at not following the guide until the end before writing this article. Just after creating the certificate, you’re encouraged by the guide to setup a cron job so that it’s automatically renewed. It’s actually quite straightforward too, and it takes only moments.

Troubleshooting

Now, after going through the whole setup, the website still doesn’t load via HTTPS. In fact, no combination of (http|https)://(www.)?aethok.com works. I get “The page isn’t redirecting properly”. So much for automatic configuration.

My first attempt was to re-run certbot, telling it to not generate any redirects. That didn’t help. Second attempt: delete the config, and rewrite the simple HTTP-only config: now I can see the HTTP version of the website. Running certbot again, asking for no redirects (I’ll count on Cloudflare for that): HTTP still works, but typing HTTPS in firefox brings me back to HTTP. Annoying.

Forcing Firefox to use HTTPS only, tells me “a HTTPS version of www.aethok.com is not available”. Could it be Cloudflare’s fault? Heading to the configuration there and forcing HTTPS: and it works! But that’s strange. Seems like turning off SSL/TLS encryption, actually disables it, rather than “does not force it”. It’s a little contrary to what I’d expect. If I turn off HTTPS-only on Firefox, now I can access both HTTP and HTTPS versions of aethok.com.

In hindsight, I probably didn’t need to turn off encryption in Cloudflare in the first place, but I’m not sure. In any case, HTTPS is now working, so there’s nothing more to write about at the moment.