Jamie's Blog

Lessons from a life of startups, coding, countryside, and kids

SSL the easy way

2015 02 03 at 11.46 1

A long time ago I wrote up how to setup SSL with Rails 3.2, nginx and NameCheap. That will forever be known as “the hard way”. I still need to do things the hard way with my current project but for all new projects I’m going to take one of the easier paths.

Note, I haven’t used all of these service in anger yet but they’re on my list for when I need them

ExpeditedSSL

ExpeditedSSL If you’re on heroku, you have the option of using the excellent ExpeditedSSL. Setting up SSL on Heroku used to be a complicated nightmare with some hefty costs. In fact, that’s one of the reasons that I couldn’t use heroku when I started on WorkCompass back in 2012. Now, you can just heroku addons:add expeditedssl and follow the instructions. Having just reinstalled an updated SSL cert today, the no-downtime automatic renewals that ExpeditedSSL provides sounds like a clear winner and a necessity if you don’t have on-staff developers.

SSLMate

SSLMate Remember the openssl commands, scp’ing files, unzip’ing archives, and concatenating certificate files that “the hard way” included? SSL Mate gets around all that by giving you a command line tool which buys and installs your cert with just a sslmate buy www.yourdomain.com. I’m not sure how installing a cert on your own server could get easier. I’m looking forward to using this

TinyCert

TinyCert

Strictly speaking, TinyCert doesn’t generate a proper SSL cert but it’s really useful in development or on a personal website.

It works like this: signup for TinyCert, create your certificate authority, download the CA pem file, install it (just open it on a Mac and you’ll be prompted to install it to your keychain). Now your computer will trust any certificate signed by your own CA — be duly careful about the certs you sign! But what does that mean? You can create an SSL cert that you want to use in development and your browser will automatically trust it (no more scary browser warnings). I use lvh.me in development (it’s a wildcard domain name that just points to 127.0.0.1 for testing subdomains) so I created a wildcard SSL cert in TinyCert, downloaded the Certificate Chain and Private Key files, and added the following lines to my local nginx.conf file:

ssl_certificate      /path/to/certchain.pem;
ssl_certificate_key  /path/to/key.dec.pem;

Tada! My browser will now accept and trust the SSL cert at https://subdomain.lvh.me without any scary warnings. It’s even useful when doing demo off our staging server which still uses SSL but doesn’t have an official cert. Or, secure your self-hosted Wordpress admin panel

Cloudflare

Cloudflare Probably the cheapest way to enable SSL on a site is to sign up for Cloudflare, which now provides a range of SSL configurations including a free option. This is probably a good way for securing a blog or personal CMS. The free configuration provides a secure connection from the client to Cloudflare, but the connection from Cloudflare to your server is still unencrypted. However, if you use TinyCert, you can generate a self-signed cert and install that on your server and then use Cloudflare’s “Full SSL” configuration to provide end-to-end encryption for free.