Building data-driven web apps with Flask and SQLAlchemy Transcripts
Lecture: Adding SSL with Let's Encrypt
0:00 It looks pretty good over here.
0:01 We put in the IP address you can see
0:04 that we actually get our page back
0:06 and it has data. This is really cool.
0:08 The whole site is now working except for
0:10 well, you probably don't want to just
0:12 have an IP address. You might want a
0:14 I don't know, domain name.
0:15 Also you would like this to be secure
0:17 and not insecure.
0:19 All right if you go to say this login page
0:21 you get a big warning like, Warning warning
0:23 this is not secure and you do want to protect against that.
0:26 So I've done something really quick.
0:28 I've gone to my DNS and I've created a temporary
0:32 which I'm going to remove
0:33 but temporary domain mapping over that server.
0:36 Why did I actually do it in my DNS
0:38 and not hack my host name?
0:39 Well you'll see that Let's Encrypt actually does a look up
0:42 on the domain and only then will it work.
0:45 So we actually have to have it working on the internet.
0:48 Now if we look over here
0:49 you can see I've created this fakepypi.talkpython.comm
0:53 not fm .com, and this one if we actually go to it
0:57 I've copied this over and restarted Nginx.
1:01 So, we've gone over here.
1:02 Hey, look at that. It's listening. How cool is this?
1:05 So it looks like everything is working for the domain
1:07 but again, still not secure.
1:09 However, now that we have a domain
1:11 some name that resolves here, I can actually go
1:14 and set up Let's Encrypt.
1:16 It turns out, it's super super easy to use Lets' Encrypt.
1:19 You know, there have been a few sights
1:20 little minor things that I had been running
1:22 and I didn't install SSL certificates
1:24 because I'm like ah, what's it matter?
1:26 Who really cares? It's going to be a lot of work.
1:28 It costs money for SSL certificates, right?
1:30 Well, the last couple years, that's not so true
1:32 and it turns out to be super easy.
1:34 So there's a nice article on Digital Ocean none the less
1:36 talking about how to set up SSL
1:39 using Let's Encrypt on Nginx.
1:40 It basically comes down to three commands.
1:43 We need to register the right package authority here.
1:47 So when we do this it says, Do you want to do it?
1:49 Yes we want to do this.
1:51 Now with that in place
1:52 we can then install python-certbot-nginx.
1:57 certbot is the thing that does SSL.
1:59 It happens to run on Python. That's kind of cool.
2:01 Okay. It's all set up.
2:02 Now we should be able to issue commands to certbot
2:07 which is a Let's Encrypt automation.
2:09 We say, we're going to set up Nginx, with this domain
2:12 and it's going to go look through all the configuration files for Nginx
2:14 find the one that's listed on this domain
2:16 and configure it. That's it, let's try.
2:20 Just kind of come down here and it says
2:21 You have to have some stuff in your SSL certificate.
2:23 So, I'll do that. Let's do michael@talkpython.
2:28 Do you agree to the terms of service? Sure, why not?
2:31 Do you want to be contacted by the EFF?
2:33 I think you've already said yes a bunch of times.
2:35 I'm going to say no this time.
2:40 All right, it's gotten everything set up.
2:41 Now it has one final question before it can make a change.
2:44 This is important. You almost always want to say 2, not 1.
2:48 So if someone requests the non SSH domain
2:53 or the non SSL domain, do you want it to redirect to SSL?
2:56 So, do you want to support fake pypi.talkpython.fm
2:59 and htps fake_pypi? Of course not.
3:03 You want to have it just all redirect to SSL.
3:04 You say two, and that's it.
3:07 If we go over here and look at this again
3:08 you'll see that it's now put in some stuff
3:11 that's managed by certbot and about redirecting
3:14 if it it's just the raw host on port 80.
3:17 Things like that.
3:18 So let's just go over here and just refresh this.
3:22 Ta-da. Look at that. Now we have our SSL secure connection
3:25 and even better, if we go to login
3:27 no super spooky warnings. Of course it's safe to login here.
3:31 Who wouldn't want to login? Or register? Or whatever, right?
3:34 So our site is up and running, using SSL.
3:37 All we have to do is set up either a cronjob
3:39 or you'll get an email to the email that we put in
3:42 and eventually we need to run a renew command on the server
3:46 to get a new copy, basically a new certificate.
3:49 These are good for I think, 90 days
3:51 for three months, something like that.
3:53 All right, that's it our server is now secure
3:55 with Let's Encrypt and SSL.