You will need to secure it with Let’s Encrypt free SSL. First, you will need to install a Certbot client on your server. Certbot is an easy to use client that can be used to download a certificate from Let’s Encrypt and configure Apache webserver to use this certificate. An XMPP Server is considered secure when the following (minimum) items are present: The server is running with a server certificate The server is configured to not allow any cleartext communications - S2S and C2S The server supports XEP-198. A new setting allows you to specify the preferred root authority. On January 11th Let's Encrypt will switch over to their own root certifiticate which is not trusted by older Android versions and perhaps other (older) software. As a fallback, until September 30th it will still be possible to get certificates using the old root. May 23, 2019 Let’s Encrypt is a Certificate Authority (CA) that provides free certificates for Transport Layer Security (TLS) encryption, thereby enabling encrypted HTTPS on web servers. It simplifies the process of creation, validation, signing, installation, and renewal of certificates by providing a software client that automates most of the steps— Certbot. In this tutorial, you will use Certbot to set up a TLS/SSL certificate from Let’s Encrypt on a CentOS 7 server running Apache as a web server.
Let’s Encrypt is a free, automated, and openCertificate Authority
Let’s Encrypt is an effort by the Internet Security Research Group (ISRG) to provide free SSL certificates in order to encourage website owners to secure their websites with encryption and gain access of https to secure your website and enable better security.
There are many benefits of enabling SSL encryption on a website, including securing user information if they need to login to the site and getting a higher ranking on Google Search.
If you currently run Apache (or the other distributions such as XAMPP and Wamp Server) on Windows which is hosted as a virtual machine in some cloud based server, then this guide is for you.
(1) Download the letsencrypt-win-simple from github
We will use a third party tool called letsencrypt-win-simple from github link given, which runs specifically for Windows platform. Since the official letsencrypt-auto script does not support Windows at this point of writing.
Download the latest version from the letsencrypt-win-simple from release page here:https://github.com/Lone-Coder/letsencrypt-win-simple/releases
Go ahead and download the zip file and extract the details in your C: Folder which will look once extracted like this “C:letsencrypt-win-simple” .
At this point of blogging the latest version was v18.104.22.168.
(2) Obtain an SSL certificate (Test Run)
Open the command prompt and navigate to the previous letsencrypt-win-simple folder.
Then run the letsencrypt tool to generate a certificate for your domain in test mode. By using the test mode, the generated certificates will not count against the rate limit.
Finally,replace with the actual domain name which you want to create the certificate for. Replace with the htdocs or www folder of Apache of XAMP/WAMP Located .
If the certificate generation is successful, a message similar to the following will appear.
You can safely skip the below to Section C if your test generation is successful.In order to authorize itself, the letsencrypt tool will answer the HTTP challenge from Let’s Encrypt server, by placing the challenge file under the folder /.well-known/. Therefore, it’s important that the .well-known folder can be publicly accessed through http://<domain-name/.well-known/.
A usual problem for many users of PHP or Python framework is that the framework redirect the root path of the domain url to their own processing script.
In this case, you need to place an alias in your Apache configuration file such as below:
Replace domain-root accordingly. For example:
Restart Apache server and attempt the test generation above again.
(3) Obtain an SSL certificate (Actual Run)
Only If your test generation has been successful, proceed to generate the actual certificate by removing the –test argument from the command.
The tool will ask you for some information. Buy eve online character. Answer accordingly.
Below are some set of questions it asks and you can answer as below:
Lastly, the tool will setup a schedule task which runs every 9.00am in the morning. Let’s Encrypt certificates are issued with a validity of 90 days. This task will help to renew the certificates within 30 days before expiry, so you will never have to worry about certificate expiry anymore.
From the output of the tool, note the path of the certificate file and issuer certificate file.
(4) Configure Apache to use the SSL certificate
You need to configure an SSL-enabled virtual host for your domain name.
Refer to the Apache docs on XAMP/WAMP how to do that.
In XAMP the httpd-vhosts.conf is located at C:xamppapacheconfextraIn the virtual host configuration, specify the path to the certificate file, certificate key file, and the certificate chain (issuer certificate) file, which you note down from the output actual generation in Section 3 (not test generation in Section 2).
Besides, it is recommended that you redirect all the http traffic to the https site with the correct domain name of your certificate.
Here is an example of a partial Apache configuration. On the non-SSL virtual host:
On the SSL virtual host:
the alias for /.well-known path must be copied to the SSL virtual host because it is needed for future certificate renewals.Restart Apache server so that the new configuration will take effect.
(5) Opening the Port in Windows Firewall Security in Windows Virtual Machine
Search for Windows Firewall Security for Windows, Open it which will something like below:
Click on Inbound Rule, and follow the below steps:
- Click on New Rule from the right panel
- Select Port, Hit Next
- Click on TCP and Give Specific Port number as 443,80
- Allow all connection
- Check on Domain, private and Public
- Give the respective name and Click Finish
- And then, repeat the same steps for Outbound Rules and Finish
Below are the screenshots to refer:
(6) Opening cloud server security firewall of port number.
If you are using any cloud based server where you have hosted your VM, Go to their security role and open the port 443 since the https serves SSL at port 443
Suppose you are using Google Cloud Hosted Windows VM you need to use:
• Head to VPC Network
• Then Click on Firewall Rule
• Create Firewall Rule with access to port 80 & 443 TCP
• Set IP range as 0.0.0.0/0
• And now head to your website, you will see your website served as https
If you are using Amazon AWS you need to use
• Head to your respective EC2
• Click on the VM Windows that was hosted
• Select Security Link
• Click on respective Inbound and Outbound Rule and open the respective port – 80,443
• And Make sure you add Destination IP range as 0.0.0.0/0
(or for any other name)
The web is moving to HTTPS, preventing network attackers from observing or injecting page contents. But HTTPS needs TLS certificates, and while deployment is increasingly a solved issue thanks to the ACME protocol and Let's Encrypt, development still mostly ends up happening over HTTP because no one can get an universally valid certificate for localhost.
This is a problem because more and more browser features are being made available only to secure origins, and testing with HTTP hides any mixed content issues that can break a production HTTPS website. Developing with HTTPS should be as easy as deploying with HTTPS.
That's what mkcert is for.
mkcert is a simple by design tool that hides all the arcane knowledge required to generate valid TLS certificates. It works for any hostname or IP, including localhost, because it only works for you.
Here's the twist: it doesn't generate self-signed certificates, but certificates signed by your own private CA, which your machine is automatically configured to trust when you run
mkcert -install. So when your browser loads a certificate generated by your instance of mkcert, it will show up with a green lock!
It supports macOS, Linux, and Windows, and Firefox, Chrome and Java. It even works on mobile devices with a couple manual steps.
Xampp Let's Encrypt The File
Also, unlike OpenSSL, it does the right thing by default, instead of forcing you to use a dozen flags and materialize a config file for each certificate. (That is, it uses Subject Alternative Names, instead of the 20-years-deprecated Common Name.)
The hardest part of the project, besides figuring out half a dozen different root stores, has been keeping the tool simple and focused. There are adjacent use cases that mkcert might be good for, like acting as a CA infrastructure for microservices, but that's not what mkcert is for. mkcert is a development tool, and that focus allowed it to provide useful defaults and limit configuration options to virtually zero. Other tools can fill other gaps better.
Xampp Let's Encrypt Files
One feature is left before mkcert is finished: an ACME server. If you are doing TLS certificates right in production, you are using Let's Encrypt via the ACME protocol. Development and staging should be as close to production as possible, so mkcert will soon act as an ACME server like Let's Encrypt, providing locally-trusted certificates with no verification. Then all you'll have to change between dev and prod will be the URL of the ACME endpoint.
Xampp Let's Encrypt Software
As for now, mkcert is already stable, with 8 releases and almost 12k stars. You can install it from most package managers, or use the pre-built binaries. Please try it in your workflows, and report any usability issues. You might also want to follow me on Twitter.