Using Let's Encrypt to Secure Your Site

December 7, 2015    https security ssl lets encrypt nginx

Now that Let's Encrypt is in public beta, you can go ahead and secure all your websites and move one step closer to making the web a more secure place.

At the time of writing, automatic configuration for Nginx is still in development, so it's a better idea to generate the certificates manually and place them manually in the configuration for your servers in Nginx.

To get started, SSH into your server and clone the letsencrypt repository a folder of your choosing and fire up letsencrypt. The Let's Encrypt client will automatically install all the required dependencies.

git clone https://github.com/letsencrypt/letsencrypt
cd letsencrypt
./letsencrypt-auto certonly --standalone --email you@email.com -d you.com -d www.you.com

The email should be one that you use as the administrative email for your server. The addresses after every -d flag are the domains you want to generate a certificate for. In this example, we are generating a certificate for the non-www and the www version of our domain.

You will be asked to accept the TOS once all the dependencies are downloaded and installed. By default, the newly generated files are stored in /etc/letsencrypt/live/you.com/fullchain.pem; and vice versa.

For the last step of the process, lets open up Nginx using vi /etc/nginx/sites-available/default and tell it to use the newly generated certificates.

server {
    listen 443 ssl;

    ssl_dhparam /etc/nginx/dhparam.pem;
    ssl_certificate /etc/letsencrypt/live/you.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/you.com/privkey.pem;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # don't use SSLv3 ref: POODLE
    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
    ssl_prefer_server_ciphers on;

    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_trusted_certificate /etc/letsencrypt/live/you.com/cert.pem;

    add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
}

Save the configuration and restart Nginx using service nginx restart.

Awesome! You can now visit your fully SSL-enabled site. Remember that the certificates will need to be renewed every 90 days. For now, the renewal is manual. To renew, just run ./letsencrypt-auto and follow the prompts and the rest will be done for you.

If you want to automate it, you can run the command using cron every 80 days.



comments powered by Disqus