HTTP to HTTPS

Fri 24 July 2020
Public key (Photo credit: Michael Drummond)

The goal was to migrate from HTTP to HTTPS

HTTPS overview

The HTTPS protocol rely on TLS (previously SSL) to ensure data integrity (data cannot be modified unnoticed), confidentiality (requested URL and content are only known by end points) and authentication (end points are the ones they claims to be).

TLS (ex-SSL)

TLS is a transport-layer protocol protocol. To ensure its services, cryptography is used. To do so, keys must be exchanged. I won't go into details into the shared cryptographic material (cryptographic algorithms, keys, handshakes). The most important thing is that cryptographic materials used to authenticate the server can be shared in a publicly available certificate [RFC8446 sec.4.4.2]. The most common type of certificate is known as X.509. The cryptographic material contained in the certificate (mostly the public keys and the associated cryptographic algorithm) are used to initiate the TLS connection (the handshake, described in [RFC8446 sec.4]).

X.509

X.509 certificate contains material used to authenticate an endpoint. To be valid, the certificate must be part of a certification path (as defined in [RFC5280 sec.3.2]). This imply either a certificate authority or a self-signed certificate.

The self-signed certificate is easy to setup but is not trusted by default by most verification tools. Thus, for a public server, a self-signed certificate is not suited.

DevOps corner

To migrate from HTTP to HTTPS, the following steps must be followed:

  1. create a X.509 certificate
  2. get your certificate signed by a certificate authority
  3. publish your newly signed certificate
  4. configure your web server to use it
  5. test your web server works
  6. check that links to your website are still working
  7. add a reminder in your calendar to update your certificate before it expires

Certbot is a tool that automated most of this steps. Let's encrypt is a non-profit certification authority. It provides certificates with an expiration date in 3 months [1]. Having to renew the certificate every 3 month is not painful as it can also be automated thanks to Certbot.

If running in interactive mode (as suggested by the documentation), Certbot asks for multiples question to modify the configuration. You can even keep 2 versions of your website: one secured with HTTPS and another one using classic HTTP.

Note that if you have multiple sites running on you server (using virtualhost), you can select which one will be migrated to HTTPS.

The first time you run Certbot, it will perform steps 1 to 4. Checking the certificate renew works by performing a dry run will add a line in a crontab, taking care of the step 7.

You still have to perform tests manually. For example, the pelican configuration include a global variable SITEURL that must be updated.


[1]Having short-live certificate is generally a good idea (you won't have to live with mistakes for long, if compromised, the certificate cannot be abusively used for long,...). Yet, everything in security is a compromise between high level of security and conviviality (otherwise it is not used as expected), and short live certificate require frequent renewals.

Category: network security Tagged: Unix Debian tools how to network security


Python virtualenv: quick reference

Sun 21 July 2019
Virtual environement (Photo credit: wikipedia)

To isolate python developments, I use virtualenv. This allow me to forget about the specific python version used for each project, avoid interferences with the default python installation and between my projects, is relatively light, and may have other advantages I cannot imagine with my …

Category: programming Tagged: python tools code

Read More

LaTeX makefile updated

Fri 29 March 2019

My default LaTeX makefile evolved. Here is an update:

The makefile looks like:

LATEX=pdflatex
BIBTEX=bibtex
BIB=
RERUN='(There is undefined reference|Rerun to get (cross-references|the bars) right)'

%.pdf:%.tex
    ${LATEX} $<
    @if [ -e $*.bbl ]; then ${BIBTEX} $* && ${LATEX} $< && ${LATEX} $< ; fi
    @if egrep -q $(RERUN) $*.log ; then ${LATEX} $< ; fi

%.aux …

Category: tools Tagged: GNU LaTeX Makefile Writing how to tools

Read More

Back online

Mon 18 February 2019

I've migrated the blog from wordpress to pelican. Static files, quite easy to use.

The migration process went well. The pelican import tool is easy to use and my rst linter highlighted the few errors done by the import tools (mainly empty sections).

There are still few artefacts due to …

Category: tools Tagged: pelican wordpress blog tools

Read More

GPG key renewal

Tue 02 February 2016

[caption id="" align="alignright" width="75" class="zemanta-img"]English: An example of a standard key used for... standard key (Photo credit: Wikipedia)[/caption]

What happen when a PGP key expire? Obvious answer: you can no longer securely use it. Nevertheless, you may not delete it as you must be able to read your encrypted files.

Basics step that should …

Category: network security Tagged: FAQs Help and Tutorials Mail tools

Read More

awesome global shortcut

Mon 04 January 2016
Multimedia keyboard

Multimedia keyboard (Photo credit: Wikipedia)

The awesome window manager does not provide GUI configuration tool.

Here is a litte how to to provide a feature using global shortcut, illustrated with wolume control.

Defining and identifying the feature and the shortcut

The wanted feature is usually accessible via the CLI . For …

Category: how to Tagged: alsa ArchLinux awesome Configuration file FAQs Help and Tutorials Unix window manager tools unix-like

Read More
Page 1 of 4

Next »