Building Data-Driven Web Apps with Flask and SQLAlchemy Transcripts
Chapter: Deployment
Lecture: Adding SSL with Let's Encrypt

Login or purchase this course to watch this video and the rest of the course contents.
0:00 It looks pretty good over here. We put in the IP address you can see that we actually get our page back and it has data. This is really cool.
0:09 The whole site is now working except for well, you probably don't want to just have an IP address. You might want a I don't know, domain name.
0:16 Also you would like this to be secure and not insecure. All right if you go to say this login page you get a big warning like, Warning warning
0:24 this is not secure and you do want to protect against that. So I've done something really quick. I've gone to my DNS and I've created a temporary
0:33 which I'm going to remove but temporary domain mapping over that server. Why did I actually do it in my DNS and not hack my host name?
0:40 Well you'll see that Let's Encrypt actually does a look up on the domain and only then will it work.
0:46 So we actually have to have it working on the internet. Now if we look over here you can see I've created this fakepypi.talkPython.comm
0:54 not fm .com, and this one if we actually go to it I've copied this over and restarted Nginx. So, we've gone over here.
1:03 Hey, look at that. It's listening. How cool is this? So it looks like everything is working for the domain but again, still not secure.
1:10 However, now that we have a domain some name that resolves here, I can actually go and set up Let's Encrypt.
1:17 It turns out, it's super super easy to use Lets' Encrypt. You know, there have been a few sights little minor things that I had been running
1:23 and I didn't install SSL certificates because I'm like ah, what's it matter? Who really cares? It's going to be a lot of work.
1:29 It costs money for SSL certificates, right? Well, the last couple years, that's not so true and it turns out to be super easy.
1:35 So there's a nice article on Digital Ocean none the less talking about how to set up SSL using Let's Encrypt on Nginx.
1:41 It basically comes down to three commands. We need to register the right package authority here. So when we do this it says, Do you want to do it?
1:50 Yes we want to do this. Now with that in place we can then install Python-certbot-nginx. certbot is the thing that does SSL.
2:00 It happens to run on Python. That's kind of cool. Okay. It's all set up. Now we should be able to issue commands to certbot
2:08 which is a Let's Encrypt automation. We say, we're going to set up Nginx, with this domain
2:13 and it's going to go look through all the configuration files for Nginx find the one that's listed on this domain
2:17 and configure it. That's it, let's try. Just kind of come down here and it says You have to have some stuff in your SSL certificate.
2:24 So, I'll do that. Let's do michael@talkPython. Do you agree to the terms of service? Sure, why not? Do you want to be contacted by the EFF?
2:34 I think you've already said yes a bunch of times. I'm going to say no this time. All right, it's gotten everything set up.
2:42 Now it has one final question before it can make a change. This is important. You almost always want to say 2, not 1.
2:49 So if someone requests the non SSH domain or the non SSL domain, do you want it to redirect to SSL? So, do you want to support fake
3:00 and htps fake_pypi? Of course not. You want to have it just all redirect to SSL. You say two, and that's it. If we go over here and look at this again
3:09 you'll see that it's now put in some stuff that's managed by certbot and about redirecting if it it's just the raw host on port 80. Things like that.
3:19 So let's just go over here and just refresh this. Ta-da. Look at that. Now we have our SSL secure connection and even better, if we go to login
3:28 no super spooky warnings. Of course it's safe to login here. Who wouldn't want to login? Or register? Or whatever, right?
3:35 So our site is up and running, using SSL. All we have to do is set up either a cronjob or you'll get an email to the email that we put in
3:43 and eventually we need to run a renew command on the server to get a new copy, basically a new certificate. These are good for I think, 90 days
3:52 for three months, something like that. All right, that's it our server is now secure with Let's Encrypt and SSL.

Talk Python's Mastodon Michael Kennedy's Mastodon