Building Data-Driven Web Apps with Flask and SQLAlchemy Transcripts
Chapter: Deployment
Lecture: Adding SSL with Let's Encrypt
Login or
purchase this course
to watch this video and the rest of the course contents.
0:00
It looks pretty good over here. We put in the IP address you can see that we actually get our page back and it has data. This is really cool.
0:09
The whole site is now working except for well, you probably don't want to just have an IP address. You might want a I don't know, domain name.
0:16
Also you would like this to be secure and not insecure. All right if you go to say this login page you get a big warning like, Warning warning
0:24
this is not secure and you do want to protect against that. So I've done something really quick. I've gone to my DNS and I've created a temporary
0:33
which I'm going to remove but temporary domain mapping over that server. Why did I actually do it in my DNS and not hack my host name?
0:40
Well you'll see that Let's Encrypt actually does a look up on the domain and only then will it work.
0:46
So we actually have to have it working on the internet. Now if we look over here you can see I've created this fakepypi.talkPython.comm
0:54
not fm .com, and this one if we actually go to it I've copied this over and restarted Nginx. So, we've gone over here.
1:03
Hey, look at that. It's listening. How cool is this? So it looks like everything is working for the domain but again, still not secure.
1:10
However, now that we have a domain some name that resolves here, I can actually go and set up Let's Encrypt.
1:17
It turns out, it's super super easy to use Lets' Encrypt. You know, there have been a few sights little minor things that I had been running
1:23
and I didn't install SSL certificates because I'm like ah, what's it matter? Who really cares? It's going to be a lot of work.
1:29
It costs money for SSL certificates, right? Well, the last couple years, that's not so true and it turns out to be super easy.
1:35
So there's a nice article on Digital Ocean none the less talking about how to set up SSL using Let's Encrypt on Nginx.
1:41
It basically comes down to three commands. We need to register the right package authority here. So when we do this it says, Do you want to do it?
1:50
Yes we want to do this. Now with that in place we can then install Python-certbot-nginx. certbot is the thing that does SSL.
2:00
It happens to run on Python. That's kind of cool. Okay. It's all set up. Now we should be able to issue commands to certbot
2:08
which is a Let's Encrypt automation. We say, we're going to set up Nginx, with this domain
2:13
and it's going to go look through all the configuration files for Nginx find the one that's listed on this domain
2:17
and configure it. That's it, let's try. Just kind of come down here and it says You have to have some stuff in your SSL certificate.
2:24
So, I'll do that. Let's do michael@talkPython. Do you agree to the terms of service? Sure, why not? Do you want to be contacted by the EFF?
2:34
I think you've already said yes a bunch of times. I'm going to say no this time. All right, it's gotten everything set up.
2:42
Now it has one final question before it can make a change. This is important. You almost always want to say 2, not 1.
2:49
So if someone requests the non SSH domain or the non SSL domain, do you want it to redirect to SSL? So, do you want to support fake pypi.talkpython.fm
3:00
and htps fake_pypi? Of course not. You want to have it just all redirect to SSL. You say two, and that's it. If we go over here and look at this again
3:09
you'll see that it's now put in some stuff that's managed by certbot and about redirecting if it it's just the raw host on port 80. Things like that.
3:19
So let's just go over here and just refresh this. Ta-da. Look at that. Now we have our SSL secure connection and even better, if we go to login
3:28
no super spooky warnings. Of course it's safe to login here. Who wouldn't want to login? Or register? Or whatever, right?
3:35
So our site is up and running, using SSL. All we have to do is set up either a cronjob or you'll get an email to the email that we put in
3:43
and eventually we need to run a renew command on the server to get a new copy, basically a new certificate. These are good for I think, 90 days
3:52
for three months, something like that. All right, that's it our server is now secure with Let's Encrypt and SSL.