A Review of the HTTPS with Let's Encrypt Course by Mikael M.
Let's Encrypt is a free service for issuing SSL certificates. Learn what Mikael liked and disliked about my latest course in this case study.
TL;DR: Jump straight to the case study.
A few days ago I released a new course called HTTPS with Let’s Encrypt and its main purpose is take you from having an insecure website being served over HTTP to having A+ graded SSL certificates and successfully serving your site over HTTPS.
But the point of this post isn’t to explain what the course is about.
Instead, I wanted to share a review of the course by Mikael Mukhsikaroyan. Mikael is a Computer Science major who also does freelance iOS / back-end web development.
I normally don’t solicit reviews from students, but since this course is brand new and has no reviews yet I thought I would try something new. I was going to try a case study.
This idea came to me after seeing an unsolicited tweet from Mikael, which was:
My initial thought was “hey that’s awesome, a student got through the course and it helped him”. At the end of the day, as a content creator, that’s really all I care about. I just want to make it as easy as possible for people to get real stuff done.
But when students don’t post comments or issues in the private discussion forum I tend to worry that maybe they are not starting or getting through the course material.
Since he didn’t post any issues I wondered if that was the case, so I followed up with:
Just got an A+ on SSLLabs for my personal site https://t.co/VB4ZKzA7Bv Will be using Let's Encrypt for all my future projects from now on— Mikael M (@mm3981) July 19, 2017
Ok, that confirms he completed the course. One of the last things we do in the course is set everything up so that you get an A+ rating on your SSL configuration.
Then I figured hey, you know what. I’ve never performed a case study before, so let me ask Mikael if he would be interested in answering a couple of questions. He said sure.
Case Study Results With Mikael Mukhsikaroyan
I really didn’t know what to ask, so I just time bound the task to 10 minutes and came up with as many questions that I could think of and sent the email off to him.
These are unedited questions and answers, but I’ve put a few of my own comments in italics at the bottom of his answers when I wanted to add on to what he said.
What type of experience do you have as a developer? What do you do as a job (or are you a student)?
My experience is mostly in back-end and iOS development, which I’ve done for a couple of clients and for a few personal projects. I’m also a college student studying Computer Science.
What type of problems were you having with trying to implement HTTPS on your own before you took this course?
The first time I implemented HTTPS was with the help of your course Docker for DevOps and so I didn’t have too much trouble getting the certificates to work.
The only difficulty was when I was buying the certificate and had to jump through a bunch of hoops to verify my identity. I had bought my domain name from Namecheap but was using DigitalOcean as my domain name server and this led to a whole lot of back and forth to confirm my identity to purchase the SSL certificate.
Now I don’t have to go through all of that ever again.
How much time did you spend trying to set up HTTPS on your own before you took this course?
I don’t remember exactly, but that initial purchase / identify verification process took a significant amount of time.
How much money do you think you spent on SSL certificates before taking this course?
For personal projects $10 / year and I never directly handled SSL for the clients that I worked on. My personal site didn’t have SSL because I didn’t want to spend money for a static site, but now it’s secure thanks to Let’s Encrypt.
Mikael raises a great point here. Now he can tell his clients that he can secure their sites for them. That is adding a lot of value to his proposals. It will make winning freelance gigs easier, he’ll make more money and his client’s data is better protected.
What was your motivation to take this course?
I took this course because I know the importance of securing your network communications and the confidence a visitor has when they see a “Secure” badge in their browser.
I had previously been doing SSL the old way, which was time-consuming and costly and so I took this course in order to be able to learn Let’s Encrypt quickly without needing to dig too deeply into its documentation and without having to learn it through trial and error.
I’ve used what I learned to secure my personal site and will be using Let’s Encrypt for all future projects, both personal and for work.
How long did it take you to go from having an insecure site to an A+ rated secure site?
It took me a few hours to follow along with the course. Once I finished the course I started working on my personal site and set everything up to transfer over my domain to a new DigitalOcean droplet.
I ran into some issues but I remembered some comments you made in a video about DNS propagation and had to wait for the domain to be associated with the new IP address.
Once the DNS propagation was completed, I was able to get the certificate working within a few minutes.
How long do you think it would take to apply what you know now to secure another site?
I think it would take me about 30 minutes to apply it to another site that uses nginx. That would include everything from registering the domain, setting up the server and running your scripts. That doesn’t include the time I’d wait for DNS propagation.
What were you most skeptical about while taking this course, but then later on it clicked and ended up working out well?
I had heard that Let’s Encrypt didn’t work with Namecheap domains, which is the service I used for my domains, but then I learned that that’s only the case if you’re hosting your site with them.
This is true for a lot of shared hosting providers (Hostgator, etc.). At best they give you a way to upload your own SSL certificates through their control panel, but that is not automated and is super annoying.
What obstacle almost prevented you from enrolling into this course?
Budget is always something that I consider when purchasing courses. In this case, the price was right and am very happy with the purchase. I wasn’t worried about it being outdated or too short because all of your other courses are of high quality and so I expected the same from this one too.
Did you get stuck on any parts of the course?
As I was waiting for my domain name’s associated IP address to update to a new droplet’s IP address, I used a non-SSL nginx configuration so that my site would be up, even though it was not secured yet.
After a few hours, I tried running the
issue-certificate.sh script, but I kept getting errors of URL refused connection and 404 Not Found. At first, I thought this was because perhaps the IP address change hadn’t propagated to all the DNS servers around the globe.
So, I tried what you suggested in your blog post and ran
host mmikael.com #.#.#.# against all the major DNS servers and they were all returning the correct IP address.
At this point I knew that there was an error on my end and after trying a few things, I realized that I needed to have the
location /.well-known/acme-challenge block in my nginx configuration in order for Let’s Encrypt to be able to authenticate my server.
I had taken this block out along with a whole bunch of other stuff when I had set up nginx on a bare minimum configuration just to host my site until the propagation had completed.
I think you had actually mentioned this in one of the videos, but I had missed it the first time.
Mikael drifted pretty far off the course in this case. For example, we never configure nginx without some form of SSL protection (we use self signed certificates to test the SSL configuration first).
But since this was Mikael’s live site, I see why he chose to do it this way. You don’t want to show that scary insecure SSL certificate message to visitors, which is what happens when you use self signed certificates outside of testing.
His answer makes me really happy because he was able to go off the beaten path and get a solution to work for his exact use case.
What specific feature did you like most about this course?
I like the notes that you provided with all the commands and links. My favorite part was all the Bash scripts you provided that did all the work for us so we could work along with the course at a fast and easy pace.
I know some people prefer to see instructors type along during the course, but I’m definitely not one of those people.
I really appreciate the fact that you prepare things ahead of time and don’t make mistakes in the lectures.
I wanted the emphasis of this course on securing your site, not learning Bash, so what he’s talking about here are commands to install nginx or copy over config files from his computer to the server.
I do go over these scripts in great detail, but you don’t need to sit through and type them out on your own. I like scripts too because now it’s something you can place onto another server and run. It’s a repeatable work flow that removes human error.
Was there anything in the course that you ended up learning where you thought “oh wow, that’s cool… I didn’t expect to learn that”?
The different nginx configurations that you provided were a great way to learn about nginx.
Learning how to host multiple sites on one server, all with their own SSL certificates and separate nginx servers was really cool.
I thought we would be using the official certbot script to use Let’s Encrypt, but I was pleasantly surprised when you provided your own short script along with a tiny Python library to use instead.
I think this way is better because we can really understand how everything works and have more control over it.
I justify my reasons for not using certbot in the course!
What’s your advice to anyone who might be on the fence about taking this course?
You can spend days on your own reading the documentation and source code for Let’s Encrypt’s certbot script or one of the many other third-party libraries, and then spend more time generating and setting up the script to work on your site and maybe create a work flow through trial and error.
Or you can get the course, learn how to use Let’s Encrypt within a few hours, and gain an easy work flow that you can use for all future projects. Through a simple cost-benefit analysis, I think most would agree that spending a few dollars on the course would save them money because the days that they would otherwise spend on learning and setting up Let’s Encrypt are days that they can’t spend on working on clients’ projects, personal projects, etc.
Sometimes it’s good to experiment and learn through making mistakes, but when your app’s security is at stake, it’s best to do it right the first time.
Special thanks to Mikael for taking the time out of his day to answer these questions.
If you’re ready to secure your site, then check out the HTTPS with Let’s Encrypt course.