A look at how to create free Let's Encrypt for a hosted Joomla! site

1. Digital Certificates & Joomla!
How to get, install, make use of digital certificates
with Joomla! (and other applications too)
Joomla! User Group Toronto
2016/11/23

2. Why do we need digital certificates?
So you can connect via https:// instead of http://
And that means?
The information that flows between your browser
and the web server is encrypted. And the
certificate ensures that you’re talking to who you
think you’re talking to.

3. Setting Joomla! To use https://
● Fortunately with Joomla! All you have to do is
change one setting - “Force HTTPS”

4. And you’re done ...

5. Well, not quite
● You do have to “Save & Close”
● You can also have “Administrator Only”
● The regular users still can use http://, but the
administrator interface is set to use https://
That seems almost too simple ...
there must be more to it?

6. Yes, there will be a few more slides
before we’re done ...
● The rest actually happens on the web server side
● You need a certificate to identify the site being
served by the web server.
● These certificates fall broadly in 3 categories
● Self-signed
● SSL certificates
● Web server certificates (with different levels of
verification)

7. Self-Signed Certificates
● You create them yourself, but with no sense of
proof of identity
● These are the ones that most browsers will give
warnings about.
● From an encryption point of view they are just
as “good” as ones issued by a Certificate
Authority

8. Typical Self-Signed Warning
● Note error message, red “broken” lock on URL

9. SSL Certificates
● Some free options (Let’s Encrypt is one, which
we’ll look at in more detail)
● Paid SSL certificates are generally less
expensive than the 3rd group (about $50 per
year)
● You won’t get the error message, but you don’t
have any proof of the identity of the
organization behind the web site.

10. Https with Let’s Encrypt SSL
● Green background, no error message, green
closed lock (although that varies by browser)

11. What can I use this for
● Usually you’d use the SSL certificates for less
critical information. Usually you wouldn’t use
them for anything involving collecting credit
card information, for example.
● But since Google is now moving towards
pushing sites that aren’t using encryption down
in search results, it is a good idea for even
regular sites.

12. There must be a downside?
● Not all browsers are happy with all Certificate
Authorities
● While they work with almost all browsers, there
will be some that come up with a warning, or
don’t work.

13. For example
● Works fine with Vivaldi on a PC
● Not with BB10 browser

14. Known Compatible
· Mozilla Firefox >= v2.0
· Google Chrome
· Internet Explorer on Windows XP SP3 and higher
· Microsoft Edge
· Android OS >= v2.3.6
· Safari >= v4.0 on macOS
· Safari on iOS >= v3.1
· Debian Linux >= v6
· Ubuntu Linux >= v12.04
· NSS Library >= v3.11.9
· Amazon FireOS (Silk Browser)
· Cyanogen > v10
· Jolla Sailfish OS > v1.1.2.16
· Kindle > v3.4.1
· Java >= JDK 8u101

15. And the others ...
– Possibly Incompatible
· Sony PS3 and PS4 Game Consoles
– Known Incompatible
· Blackberry OS v10, v7, & v6
· Android < v2.3.6
· Nintendo 3DS
· Windows XP prior to SP3
· cannot handle SHA-2 signed certificates
· Java < JDK 8u101

16. Web Certificates
● Most expensive - $100 to $250 per year
● The Certificate Authority verifies the identity (to
a greater or lesser extent) of the entity
requesting the certificate.
● Usually used for credit card, banking or other
sensitive web sites.
● Widely supported by most browsers

17. TDCanadatrust
● Green bar, green closed lock, name of
organization to which the certificate was issued.

18. Google
● Some Anti-Virus/Malware products will intercept
all URL’s as part of protecting you from malware
● As part of that, https connections will connect
using the AV’s certificate on your local machine
so that the data can be decrypted and checked.
● The certificate used to connect will be checked,
and if it isn’t Google’s, the connection will be
denied.

19. Using Let’s Encrypt Certificates
● There is a cPanel extension under development that
will allow you to create your own
● Some ISP’s generate them for you
● You can install the software, but you may not be able
to on shared hosting.
● You can also manually install them.
● We’ll look at the method described here:
https://www.kosinix.com/install-lets-encrypt-
certificate-on-shared-hosting/

20. Why this manual method?
● It should work on almost all hosted
environments
● But you have to redo it every 90 days

21. What do I need?
● A Linux system (which could be a Virtual
Machine e.g. Ubuntu on Virtualbox) to install
and run the Let’s Encrypt software
● Ability to create directories and files (and their
contents) on your web server
● Something like cPanel to install and select the
resulting certificate.

22. Install “Let’s Encrypt”
● On a machine you control (I’m doing this as
root)
● You may have to install git first
git clone
https://github.com/letsencrypt/lets
encrypt

23. With Ubuntu 16.04
● I’ve cd’ed to /root
root@Ubuntu1604:/root# git clone https://github.com/letsencrypt/letsencrypt
Cloning into 'letsencrypt'...
remote: Counting objects: 41581, done.
remote: Compressing objects: 100% (96/96), done.
remote: Total 41581 (delta 50), reused 0 (delta 0), pack-reused 41485
Receiving objects: 100% (41581/41581), 11.72 MiB | 3.11 MiB/s, done.
Resolving deltas: 100% (29620/29620), done.
Checking connectivity... done.
root@Ubuntu1604:/root# ls
letsencrypt

24. From the letsencrypt directory
● This starts the process locally, for your hosted
site (the first time you run this, it may also
install other packages).
● I’ll usually use -d www.yourdomain.ca too
root@Ubuntu1604:/root/letsencrypt# ./letsencrypt-auto certonly -a manual --rsa-key-
size 4096 -d voggtech.ca

25. Fill in information

26. Obligatory Legalese

27. And ...

28. And now the tricky part
● Sometimes the exact hostname, and where in
the filesystem may take some fiddling

29. What does that mean?
●
You need to connect to your hosting environment, and create the directories
.well-known, and below it acme-challenge
●
You then need to create a file in acme-challenge called:
L3r7tCEOfLdZHBkNOoPzfKG6JYRQme45dzIc1e_W4jE
● It must contain the text:
L3r7tCEOfLdZHBkNOoPzfKG6JYRQme45dzIc1e_W4jE.EQmd_doFxBzxtc
cUOeDcPjROkiX3-yvvHZHuprdOUaM
● Note that every time you run the command, the file name and text
changes.
● You must create the file, and its contents before you “Press ENTER to continue”
● If you don’t you’ll have to start the command again.
● If you have more than one -d parameter, you’ll need to do this for each one on
your command line.

30. And how do I do that?
● It depends – but many hosting providers use
cPanel, so we’ll look at it that way.
● Log into your hosting account, and start up “File
Manager”
● You could also use sftp or ftp if that is what your
hosting company allows.

31. YMMV

32. Hidden Files
● With Linux, directories/files starting with a dot
are hidden – you’ll probably want to change File
Manager to show hidden files.

33. Create Directories and Files
● Create the .well-known, and the acme-
challenge directory below it
● If you’re renewing a certificate, they’ll be there
already.
● Then create the file

34. Put the string in the file
● Here I’m using the “Code Edit” option that you
get by right clicking on the file name
● Save and close

35. Now, back to the “Press Enter ...”
● If you’ve got it right, you’ll get something like

36. Just a little more ...
● Now we need to grab the created certificate,
and put in the list of certificates, and set the
web server to use it.
● I’m using the Certificates option:

37. Upload or paste the contents of
cert.pem

38. Then to Manage SSL hosts
● Select the domain
● Then select the certificate, also paste in the
Private Key.

39. Then select Install Certificate
● And you’ll see the certificate for your site

40. And we’re good for another 90 days

41. Questions?
● Contact dpickett@voggtech.ca