Google Domains and Let’s Encrypt

Continuing with the theme of improving my website and hosting, I transferred my domain to Google and setup a Let's Encrypt certificate this past week.

Inputting the domain to transfer to Google was even easier than expected, with a nice entry box on the home page.

Let's Encrypt - Google Transfer

Once I entered in my domain name, they told me what steps I would need to take to get it transferred over.

Let's Encrypt - Transfer Instructions

After I got everything filled out and the form submitted, I even received a confirmation e-mail to verify that I did want to transfer the domain.

Let's Encrypt - Verification

Once I submitted everything, it took about 5 days to get the domain completely transferred over, and managing it is even easier now.

I would recommend Google as a registrar if you are looking for one though. They are $12/year with free privacy and e-mail forwarding included.

When the domain transfer was complete, I also setup a Let's Encrypt certificate so that I would have SSL for the logins etc.

Let's Encrypt - Home

As I'm running Apache, I was able to use their auto-installer, which made everything a breeze.

root@wordpress-1gb-nyc1-01:~# git clone https://github.com/letsencrypt/letsencrypt
Cloning into 'letsencrypt'...
remote: Counting objects: 34858, done.
remote: Compressing objects: 100% (22/22), done.
remote: Total 34858 (delta 13), reused 0 (delta 0), pack-reused 34836
Receiving objects: 100% (34858/34858), 9.31 MiB | 4.62 MiB/s, done.
Resolving deltas: 100% (24761/24761), done.
Checking connectivity... done.
root@wordpress-1gb-nyc1-01:~# cd letsencrypt/
root@wordpress-1gb-nyc1-01:~/letsencrypt# le
less      lessecho  lessfile  lesskey   lesspipe  let       lexgrog
root@wordpress-1gb-nyc1-01:~/letsencrypt# ls
acme                        certbot-nginx       Dockerfile      letsencrypt              letsencrypt-nginx     linter_plugin.py  readthedocs.org.requirements.txt  tools
certbot                     CHANGES.rst         Dockerfile-dev  letsencrypt-apache       letshelp-certbot      MANIFEST.in       setup.cfg                         tox.cover.sh
certbot-apache              CONTRIBUTING.md     docs            letsencrypt-auto         letshelp-letsencrypt  pep8.travis.sh    setup.py                          tox.ini
certbot-compatibility-test  docker-compose.yml  examples        letsencrypt-auto-source  LICENSE.txt           README.rst        tests                             Vagrantfile
root@wordpress-1gb-nyc1-01:~/letsencrypt# ./letsencrypt-auto --apache
Bootstrapping dependencies for Debian-based OSes...

<...snip...>

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/doyler.net/fullchain.pem. Your cert will
   expire on 2016-07-29. To obtain a new version of the certificate in
   the future, simply run Let's Encrypt again.
 - If you lose your account credentials, you can recover through
   e-mails sent to dev [at] doyler.net.
 - Your account credentials have been saved in your Let's Encrypt
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Let's
   Encrypt so making regular backups of this folder is ideal.
 - If you like Let's Encrypt, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Let's Encrypt - Complete

If you notice in the screenshot though, I did mess up by not including the www. initially, which caused some problems with the cert not matching the URL (due to my rewrite). That said, I regenerated the cert for www.doyler.net and removed the one without the www. and it solved that problem.

As you can see in the top corner now, the SSL cert worked and all major browsers trust it!

Let's Encrypt - Verified

Additionally, I ran the site through an SSL test to make sure that everything was sound, and it came back with flying colors.

Let's Encrypt - SSL Test

The last thing I did was setup my http.conf to redirect all traffic to the SSL site, to force all traffic to be encrypted.

root@wordpress-1gb-nyc1-01:/etc/apache2/sites-available# cat 000-default.conf
<VirtualHost *:80>
        ServerName www.doyler.net
        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/html

        <Directory /var/www/html/>
            Options Indexes FollowSymLinks
            AllowOverride All
            Require all granted
        </Directory>

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

        RewriteEngine on
        RewriteCond %{HTTP_HOST} !^www\. [NC]
        RewriteRule ^(.*)$ https://www.%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
        RewriteCond %{SERVER_PORT} !^443$
        RewriteRule (.*) https://www.%{HTTP_HOST}%{REQUEST_URI} [R,L]
</VirtualHost>
doyler on Githubdoyler on Twitter
doyler
Ray Doyle is an avid pentester/security enthusiast/beer connoisseur who has worked in IT for almost 16 years now. From building machines and the software on them, to breaking into them and tearing it all down; he's done it all. To show for it, he has obtained an OSCP, eCPPT, eWPT, eWPTX, eMAPT, Security+, ICAgile CP, ITIL v3 Foundation, and even a sabermetrics certification!

He currently serves as a Senior Penetration Testing Consultant for Secureworks. His previous position was a Senior Penetration Tester for a major financial institution.

When he's not figuring out what cert to get next (currently GXPN) or side project to work on, he enjoys playing video games, traveling, and watching sports.

2 Comments

Filed under Security Not Included

2 Responses to Google Domains and Let’s Encrypt

  1. Johan Bernhoft

    Hello!

    Thanks for this info, but for info: Google does not handle Norwegian domains by the moment…

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.