Obtaining an SSL Certificate

This will explain the basic steps involved in obtaining an SSL certificate.

Introduction

Before reading this guide, we highly recommend ready the Donation Store installation guide. That can also be found in the same place as this guide.

As always if you have any queries you can open a support ticket, or, some of our developers sometimes hang around on #support on our Discord channel.

SSL Information and Why It's Important to Have on Donation Store

In all web applications, security is paramount. So much so that HTTP has become old and outdated. This can be reinforced by companies like Google an Mozilla marking all sites that use HTTP as unsafe. This is discouraging for anybody visiting a site, regardless of if you handle sensitive data. Donation Store depends on handling customers information and therefore making sure that said data is kept safe and in the right hands is your responsibility. It is not our responsibility and unfortunately we cannot police and make sure everybody installs SSL, however we can provide the tools to make it as easy as possible.

On a side note, a lot of payment providers won't even allow payments to happen through HTTP. That's why you may see them complaining if you don't use HTTPS. This is not a Donation Store issue but is because your site is not secured.

The Donation Store installation service also includes setting up a SSL certificate on your installation, this can be purchased here. A Donation Store developer will organise a time that suits you and will walk you through the installation on a server of your choice and will also complete the installation.

Let's Encrypt

You can use any SSL certificate, bought or not, however Let’s Encrypt offer free SSL certificates to everyone! Their goal is to create a more secure and privacy-respecting web. Some companies charge monthly fees or only offer SSL to their highest tier customers, but not with Let’s Encrypt. So there are no excuses to not get an SSL certificate now!

Requirements

The only requirement for this guide is a valid/licensed Donation Store installation, and the same server that you installed Donation Store on.


Setting up Your Environment

Before the certificate is obtained, some software and updates need to be installed. First off, update and upgrade, apt by running:

sudo apt-get update

Followed by:

sudo apt-get upgrade

If either commands asks to overwrite/fill disk space, enter "y" and then hit enter.


Install Git

Git is a version control system that tracks changes in code. It allows us to get the latest version of the software we need to use Let's Encrypt and to get our SSL certificate. To install it, run:

sudo apt-get install git

Go to your Donation Store folder. If you followed the previous tutorial on how to install the web application, this should be found at /home/donationstore/DonationStoreV2. To get there use:

cd /home/donationstore/DonationStoreV2

Get Let's Encrypt

To install Let's Encrypt, we will clone it using Git. Run this command:

git clone https://github.com/letsencrypt/letsencrypt

Now change into that directory using:

cd letsencrypt

Then run Let's Encrypt using:

./letsencrypt-auto --help

Get SSL Certificate

Before we obtain an SSL certificate we must first stop Nginx. If you are using a different web server please follow a relevant tutorial from here. In the future we hope to provide tutorials for different servers but at this time we can only offer Nginx.

service nginx stop

We can obtain the certificate by now using:

./letsencrypt-auto certonly --standalone -d yourdomain

Replace yourdomain with the domain you want linked to your SSL certificate.

Let's Encrypt will then ask for an email. Enter a valid email that you use as this is where email notifications will be sent anytime you need to renew the certificate/or when there are problems with your certificate.

Read, then agree to the Let's Encrypt Terms of Service by entering A and then hitting enter.

Make a decision on whether or not you want to share your email, that's up to you!

It will take a few moments to generate your certificate but once done you should get a message saying "Congratulations".


Configure Nginx to Use HTTPS

Even though we have the SSL certificate, Nginx still thinks we want to use HTTP (because of our previous config), meaning we must tell it to start using HTTPS instead. If you check your site, you will see there is no active SSL certificate on your domain.

Open your Nginx config (like in the previous tutorial on how to setup Donation Store). You can open this config by running the following command:

sudo nano /etc/nginx/sites-available/DonationStore

When it is opened you should see something similar to below:

server {
  server_name yourdomainorip.com;
  access_log off;

  location /static {
    alias /home/donationstore/env/static;
  }

  location / {
    proxy_pass http://{your_ip_address}:8001;
    proxy_set_header X-Forwarded-Host $server_name;
    proxy_set_header X-Real-IP $remote_addr;
    add_header P3P 'CP="ALL DSP COR PSAa PSDa OUR NOR ONL UNI COM NAV"';
  }
}

You must modify it to reflect the following (changes in bold):

server {
  listen 443 ssl;
  server_name domainfromletsencryptstep;
  ssl_certificate /etc/letsencrypt/live/domain-entered-in-letsencrypt-step/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/domain-entered-in-letsencrypt-step/privkey.pem;
  access_log off;
  location /static {      alias /home/donationstore/env/static;   }
  location / {     proxy_pass http://{your_ip_address}:8001;     proxy_set_header X-Forwarded-Host $server_name;     proxy_set_header X-Real-IP $remote_addr;     add_header P3P 'CP="ALL DSP COR PSAa PSDa OUR NOR ONL UNI COM NAV"';   } } server {   listen 80;   server_name domain-entered-in-letsencrypt-step;   return 301 https://$host$request_uri; }

By changing the above config, you are instructing Nginx to listen on port 443 (SSL port) instead of 80, you are linking the SSL certificate and its key and you are instructing Nginx to redirect any requests made to HTTP to be redirected to HTTPS.

Close the Nginx config and restart Nginx using:

service nginx restart

And that's it!