Ask HN: How easy/hard is it to offer HTTPS to your users?

9 points by FreeHugs ↗ HN
I am running a bunch of projects on a bunch of servers. How easy or hard is it to offer HTTPS to my users? Do I have to pay for a certificate for each domain? I don't own anything with most of my domains, so I would not like to pay much.

And some domains, I just use for myself. The only reason I want to enable HTTPS on them is that I want to securely acess them while workinng from Cafes and Coworking spaces.

I use Apache on all my servers. I probably have set up the most minimal config possible, so the servers only reply on HTTP. What do I have to do to make them reply on HTTPS?

7 comments

[ 2.9 ms ] story [ 23.9 ms ] thread
Use StartSSL[1], or self-signed certificates if you just use HTTPS for admin access to some of your sites. You can easily find many online tutorials on how to setup TLS/SSL on your web server after a bit of googling, such as this one[2] on the DigitalOcean community site.

P.S. Judging from your username, it seems like you have played agar.io too much. :)

[1] http://www.startssl.com

[2] https://www.digitalocean.com/community/tutorials/how-to-set-...

Edit: If you can wait until November this year, use Let's Encrypt[3] when it is generally available to the public. At this moment you can also use CloudFlare, which provides free SSL branded as "Universal SSL" if you use their CDN.

[3] https://letsencrypt.org/2015/08/07/updated-lets-encrypt-laun...

Wow, StartSSL will give me a free certificate that browsers accept without bugging the user? Are there any downsides to this?

Is that possible for the whole domain, so that when I get a cert for mydomain.com it also works for development.mydomain.com etc? Even when development.mydomain.com has a different IP then mydomain.com?

The major downside I know is that in case your private key is compromised and you want to revoke the certificate, you have to pay $24.90.

> Even though StartSSL™ provides certificates generally free of charge, revocations thereof may carry a handling fee. Take great care of your private keys, save and backup all files all the time!

See more on https://www.startssl.com/?app=37

WoSign[0] do free revok and will give you up to 100 altnames. Failing that I'd rather pay $10 for a cert from somewhere else, or pay a premium for my domain at Gandi and get a cert thrown in.

[0] https://buy.wosign.com/free/

Cloudflare gives HTTPS for free. All you need to do is change your NS servers and flip a few buttons.

Traffic is encrypted between browser and Cloudflare but not between Cloudflare and your server.

After you acquire a certificate, it's pretty tricky getting the configuration correct. I don't know about Apache, but in Nginx there are a lot of settings to set so that you deliver that fastest https experience. There's a video about it here https://www.youtube.com/watch?v=iHxD-G0YjiU. I'm dealing with this issue right now, where I have https setup, but it isn't running optimally.