Until a couple of weeks ago, I didn’t really see the point in giving a .onion site a TLS certificate.

Alec Muffett convinced me:

HTTP-over-Onion should not be considered as secure as HTTPS-over-Onion, and attempting to force it thusly will create a future compatibility mess for the ecosystem of onion-capable browsers.

Helpfully, getting a TLS certificate for .onion has become very easy in the last couple of years ago.

Sure, it’s not as easy as https for the clearweb, where Let’s Encrypt makes it trivial, and means you don’t need to think about renewals.

But it is still very easy.

It is also much cheaper than when I last looked: €30 / year. Not cheap, but cheap enough for me to give it a try.

The gist is:

• create an account with Harica, the Greek entity which will issue the certificate
• keep a copy of the private key
• upload the challenge to .well-known/pki-validation so that it is accessible via the .onion domain for which you want the certificate to be issued
• wait a few days, for Harica to carry our the verification
• when it has passed verification, pay Harica, and download the files it has generated
• upload the certificate files plus the private key to the webserver
• configure the webserver to use https, and route Tor traffic to it
• for Tor, I edited /etc/tor/torrc to amend the existing Hidden Service description, to add a listener for port 443 redirecting to 8443 on localhost
• for the webserver, I added a new virtualhost to the apache config, listening on 8443, with the normal config for TLS. Once it worked, I configured it to redirect http to https, to use https by default
• add a reminder to your calendar, since you’ll need to renew it manually

And that was it.

The onion site for decoded.legal is now https://dlegal66uj5u2dvcbrev7vv6fjtwnd4moqu7j6jnd42rmbypv3coigyd.onion.

If you want to test it, either visit decoded.legal in Tor Browser, and it should redirect automatically (using an alt-svc header), or else visit dlegal66uj5u2dvcbrev7vv6fjtwnd4moqu7j6jnd42rmbypv3coigyd.onion.