Last updated: 2020-12-26

Before we show you how you can quickly get setup with HTTPS for your site, lets talk a little bit about what it is and why you should do it.

Hypertext transfer protocol secure (HTTPS) is the secure version of Hypertext transfer protocol (HTTP). HTTPS adds an extra layer of encryption on the data that is sent back and forth between a browser and a website.

If you want to learn more about this topic, check out: https://www.cloudflare.com/learning/ssl/what-is-https/

At a high level, HTTPS is accomplished by having trusted sources sign and vouch on behalf of a participating website. This trusted source is known as a certificate authority. There are a bunch of providers all offering a bunch of different levels of customization and pricing. It is definately worth a few minutes to get yourself up to speed on the offerings. For the sake of this post, we are only going to talk about Let's Encrypt.

Let's Encrypt is a free, automated, open certificate authority (CA), run for the public's benefit. (P.S. I have no affiliation with Let's Encrpt. It's just nice and easy to use (and also what I use!))

Here are the commmands I run if I want to set up a new server with a new (sub) domain. For more options (different OSes or providers): https://letsencrypt.org/getting-started/

• Make sure your apt is up to date:
  • sudo apt-get update
• Add software-properties-common so we have a means of adding and removing PPAs
  • sudo apt-get install software-properties-common
• Add our PPAs
  • sudo add-apt-repository universe
  • sudo add-apt-repository ppa:certbot/certbot
• Update our apt now that we added a ppa repository
  • sudo apt-get update
• Install certbot
  • sudo apt install certbot
• Get your domain up and running
  • sudo certbot certonly --standalone

The certification creation steps should be self explanatory. Before you run that last command, make sure you have a domain (duh) and that it is pointing at the server of interest. The certbot will try and spin up a standalone server to validate that the domain indeed resolves to the server you are running this on (for obvious security reasons). You should also make sure that you have opened the appropriate ports on your server. 443 is the port for HTTPS and 80 is the port for HTTP traffic. If you don't open the appropriate ports for your use case, the certification process will fail!

Once you've successfully completed the setup process, you should now have a keyfile and a certfile. Make sure to keep these safe. Using these two files, you can now standup your website. There are lots of options on how to use them at this point. Here is an example of how I use it with gunicorn:

gunicorn blog.app:app -w 1 -k uvicorn.workers.UvicornWorker -b 0.0.0.0:443 --keyfile /etc/letsencrypt/live/mywebsite.com/privkey.pem --certfile /etc/letsencrypt/live/mywebsite.com/fullchain.pem

You might need to replace the following to your particular values: 0.0.0.0, mywebsite.com.

Lastly, the certificate needs to be periodically renewed (I think it is every 3 months). Make sure you set a reminder to update your certs before then!