I've been following the development of let's encrypt from its very beginning. It's a very interesting idea and platform. Quite appealing. However, until lately I still did not generate any certificate. This has now changed; I just generated a free certificate via sslforfree.com, which is a webpage that uses let's encrypt to supply high-quality SSL certificates for free. Too good to be true?
It turns out that the promise is indeed true and that I can now proudly tell you: From today on this homepage allows you to use https; even though not mandatory for now (one step at a time). This prevents a good deal of security risks and unwelcome side-effects.
Of course, obtaining a certificate is only half of the story. There is more that we need to think about when switching to https. Honestly, I forgot some of this stuff, but it hit me like a giant rock on my way to enable encryption on this small page...
The first thing to take into consideration is the exact domain, i.e., hostname, of the homepage. Currently, sslforfree.com does not allow wildcard certificates. Therefore we have to know the exact address. For starters there is a difference between, e.g., florian-rappl.de and www.florian-rappl.de. Furthermore, using multiple certificates may also be a problem if the server does not know or allow SNI (short for server name indication).
Luckily, sslforfree.com has the ability to generate a certificate for multiple domains. I picked some useful ones (including the two formerly mentioned ones) and went on to configure my server accordingly. Unfortunately here the real problems started as I am still running on very old (shared) hardware with an even older stack. The time for my move to Azure is overdue I guess… I don't want to bore you with the details of my struggle, but the thing to point out is that configuring SSL may be easy now, but certainly was not a pleasant experience with the old, fragmented, and limited stack. For instance, I could not bind multiple SSL host headers to the same site. Instead, I had to create multiple sites, one for each redirect. These are just alias sites, but managing them seems awfully complicated.
Long story short: There are two things I can highly recommend namely choosing a modern stack / development platform and using a secure layer in form of SSL or TLS to encrypt the http communication. Now with let's encrypt there is no excuse anymore for not following the latter.