Adding free SSL (HTTPS) to a Drupal site with Simp_le and LetsEncrypt on Debian/Apache2

LetsEncrypt hits public beta

There's a strong argument for running your Drupal sites over HTTPS. Security is good! Google has even said that this will help your search rankings. LetsEncrypt, a free SSL certification programme went into public beta on Thursday.

The LetsEncrypt default client is pretty flaky in that it tries to overwrite your server set up. That's not everyone's cup of tea; certainly not mine. Over on Hacker News, there's a post about LE moving into public beta. One of the comments refers to an alternative client for LetsEncrypt certificates. This is written by the main developer of the official client, so I'm happy with that. This is a guide on how to setup the alternative Simp_le client for LetsEncrypt for a Drupal 7 site running on Debian/Apache2. YMMV on alternative configurations.

Initial step, visit https://github.com/kuba/simp_le and read... If you're happy with what you see, carry on. Bear in mind, this will install python and some libraries to work.

Set up Simp_le

Make a place to install the python virtual environment, which this will setup. To avoid permissions issues, I suggest doing this in /home/{account} with a view to securing the web root of /home/{account}/public_html. I personally made a 'bin' dir:

mkdir bin
cd bin
git clone https://github.com/kuba/simp_le.git
cd simp_le

Install the virtual environment as per the simp_le site instructions

sudo ./bootstrap.sh
./venv.sh
. venv/bin/activate

Drupal specific: comment out the line in .htaccess to block serving of dot files by Apache (line 83 in my install):

# RewriteRule "(^|/)\." - [F]

This is a temporary measure. If someone knows how to allow access to the directory ‘./well-known’ which will be created, please post an update to that Rewrite rule!

For apache we need three key files as per this suggestion in the examples on the git site (https://github.com/kuba/simp_le/wiki/Examples)
Using these Simp_le plugins: -f key.pem -f cert.pem -f chain.pem
Allows for Apache config: SSLCertificateKeyFile key.pem, SSLCertificateFile cert.pem, SSLCertificateChainFile chain.pem

So to generate these files, the command we want to issue is:

simp_le -f key.pem -f chain.pem -f cert.pem -d www.mydomain.com:/home/{account}/public_html

The -f directives in the command are plugin names, not input or output files. Running this command will attempt to verify your domain by creating public_html/.well-known with some content file(s) and accessing them via a CA over the web. If this is successful, change the .htaccess file back and examine the directory for three files, cert.pem, chain.pem, key.pem. These filenames are the same as the plugins but I believe that’s just a coincidence.

You need to move these files to a folder outside the web root if they aren’t already. Make a note of the path, and make the private files visible to only root. I put mine in ~/certificates. You (probably) need to su to root or use sudo to do this.

NOTE: whilst this works fine for me, the author of Simp_le informed me via IRC that these files should not be moved at all. Given that it works, but I have as yet been unable to get more information from him as to why this is the case, or what I should do to fix this tutorial, the best I can do is leave you this note. I suspect it's something to do with automatic renewals and this example not using symlinks, but I'll confirm & correct in due course.

cd ~
mkdir certificates
mv *.pem certificates
chown -R root:root certificates
chmod -R 0700 certificates (or whatever perms you feel like)

You could probably remove the .well-known directory at this point, but I understand that this is likely going to be useful when you have to update the certs (max 90 days). However, you might want to update your .gitignore file at this point before you commit anything, if you’re using VCS.

# Ignore well-known files
*.well-known*

Apache config

I’m assuming here that we will force the connection to https at the Drupal .htaccess level. The following config allows for supplying over both http and https. I’ve chosen to simply augment my server config with additional lines to manage the https connection over port 443. I’ve done it this way because I wanted to be able to revert to http if there was an issue with setup. I’ve also, as a Drupal user, assumed that we have a .htaccess file in the web root, as is common for apache setups.

In editing your existing virtual host file for the domain, we can simply copy the existing http config and add extra stuff for the secure connection

<VirtualHost *:80>
  ServerAdmin me@mydomain.com
  ServerName www.mydomain.com
  ServerAlias mydomain.com
  DocumentRoot /home/myaccount/public_html

  <Directory /home/myaccount/public_html>
   # stuff here
  </Directory>

  # log file setup here

  RewriteEngine On
</VirtualHost>

<VirtualHost *:443>
  ServerAdmin me@mydomain.com
  ServerName www.mydomain.com
  ServerAlias mydomain.com
  DocumentRoot /home/myaccount/public_html

  SSLEngine on
  SSLCertificateFile /home/myaccount/certs/cert.pem
  SSLCertificateKeyFile /home/myaccount/certs/key.pem
  SSLCertificateChainFile /home/myaccount/certs/chain.pem

  <Directory /home/myaccount/public_html>
   # stuff here
  </Directory>

  # log file setup here

  RewriteEngine On
</VirtualHost>

Hopefully at this point you should be able to see your site at both http://www.mydomain.com and https://www.mydomain.com with the same content on both

Now if we want to redirect the users to the https version of the site, we can simply add a rule into the .htaccess file for that.

Drupal specific: In htaccess, I’ve got all requests redirected to the www. version of the site. I put the https redirect after that, and left the remainder of the file as-is, to avoid too much hassle with upgrades. This is from a stock Drupal 7 .htaccess file

  # To redirect all users to access the site WITH the 'www.' prefix,
  # (http://example.com/... will be redirected to http://www.example.com/...)
  # uncomment the following:
  RewriteCond %{HTTP_HOST} .
  RewriteCond %{HTTP_HOST} !^www\. [NC]
  RewriteRule ^ http%{ENV:protossl}://www.%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

# the above are uncommented as I like to have www.mydomain.com
# the following NEW lines are inserted after those
  RewriteCond %{HTTPS} off
  RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R,L]
# taken from https://www.ndchost.com/wiki/apache/redirect-http-to-https

Now you should have all your traffic redirected to https version of the site, with an easy option to revert via the htaccess if necessary.

Bonus tip: If you’re using Google Fonts, these will break. Use this tip to fix it.

I’ve got this function in template.php in Drupal 7 site. Maybe it shouldn’t be there, I dunno. All you need to do is remove the protocol part of the url, then it will work it out for itself at load time.

function mydomain_preprocess_html(&$variables) {
  // I’ve removed the “http:” from the start of the url
  drupal_add_css('//fonts.googleapis.com/css?family=Oxygen:300', array('group' => CSS_THEME));
}

Hat tip: @pollyplummer on http://wptavern.com/wordpress-tip-how-to-load-google-fonts-over-ssl-and-...

Blog Tags: DrupalSSLPlanet

Add new comment