Lets Encrypt with Nginx

July 31, 2016

Let's Encrypt is a game changer for websites.

I thought it was a good idea when Let's Encrypt introduced the notion of a free CA Authority making SSL more accessible to the public in early 2015. But, I didn't delve deeper because I was already using sslmate to somewhat automate my certificate management. Then, as I was setting up a new domain, I noticed that Dreamhost was issuing free SSL for any domain, and I thought, "WHAT?? I want that!"

Updating Nginx to use LetsEncrypt Certificates

Getting LetsEncrypt is fairly easy for a Debian/Ubuntu system:

sudo git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt

Get the certificate

sudo /opt/letsencrypt/letsencrypt-auto certonly --agree-tos --webroot -w /path/to/public/www/ -d example.com -d www.example.com

This will drop files into /etc/letsencrypt/live/yoursite.com.

After doing this, you will have to modify Nginx configuration. Add this to your configuration file for nginx where SSL is defined:

ssl_certificate /etc/letsencrypt/live/yoursite.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/yoursite.com/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/yoursite.com/chain.pem;

Obviously, change yoursite.com with, well, your domain name.

With a sudo service nginx reload you are up and running on your new free LetsEncrypt SSL cert!

Auto-renewal

A LetsEncrypt cert expires after 90 days. While they email you to renew, it is best to just automate the process.

You can setup a crontab for root like this:

22 4 * * 1 /opt/letsencrypt/letsencrypt-auto renew --quiet --post-hook "/usr/sbin/service nginx reload" >> /var/log/le-renew.log

This will run on the 22nd minute of the 4th hour of the first day of the week (so, once a week). You can tweak to your liking. The reload portion of --post-hook will be ignored if the certificate was not renewed. (Thanks for the update Bjørn!) According to the certbot documentation, any certificate that expires in less than 30 days will be renewed. If you have more complex restart tasks, write a script and initiate the script as a --post-hook argument.

Game Changer

Done are the days of expired certs, unhappy customers seeing a big warning screen because a sysadmin forgot about the renewal date, and paying for certificates! Wildcard certificates? Who needs 'em anymore, just use the --expand flag with letsencrypt to add domains as you need them. Orgs like Comodo and Verisign are about to see a massive drop in SSL certificate income. We'll talk of the golden era when we actually paid $399 for a SSL cert and much of the web was unencrypted.

The only thing I can think of right now is that Commercial CA Authority "Extended Validation" services for high-security firms like banks would still be useful. Other than that, most any webapp can use this free, automated, open service to SECURE ALL THE THINGS.