Free SSL/TLS Certificates with Nginx and Let’s Encrypt

As you might have already noticed, I am now running this site with a SSL certificate provided by Let’s Encrypt. Formerly only enabled to another domain hosted here.

For those who don’t know Let’s Encrypt, it’s a free automated, and open certificate authority. You can literally have a SSL certificate on your hosting in minutes.

You can easily install it with the following instructions. Keep in mind that the instructions are for Ubuntu 14.04, so some steps may differ.

Install Let’s Encrypt client.

Download the script and make it executable:

cd /usr/local/sbin
sudo wget https://dl.eff.org/certbot-auto
sudo chmod a+x /usr/local/sbin/certbot-auto

Check your package manager for letsencrypt. Ubuntu 16.04 already have it.

Obtain the certificate.

To generate the certificate the client will create a temporary file on your webroot. You need to allow the access to the file adding the following to your nginx server block configuration:

location ~ /.well-known {
                allow all;
        }

After that, restart your nginx and run the following command:

certbot-auto certonly -a webroot --webroot-path=/var/www/yourwebroot -d yourdomain.com -d www.yourdomain.com

Don’t forget to change your webroot-path and your domain. If needed, add any other sub domain after the -d yourdomain.com. At the prompt insert your e-mail and, after read, accept the agreement.

You will end up with a set of four .pem files.

Set up nginx with SSL.

Edit your nginx configuration file again, you may now remove that .well-knowmentioned earlier. Also remove the listen 80 portion.

listen 443 ssl;
#listen 80; 
server_name www.yourdomain.com yourdomain.com; 
ssl_certificate /etc/letsencrypt/live/yourdomain.com/fullchain.pem; 
ssl_certificate_key /etc/letsencrypt/live/yourdomain.com/privkey.pem;

To redirect all your http traffic to https you should add this server block before the above:

server { 
    listen 80; 
    server_name www.yourdomain.com yourdomain.com; 
    return 301 https://$host$request_uri; 
}

Restart nginx again and test to make sure everything is working as expected.

Set up auto-renewal.

The certificate expires within 90 days, you can run the command certbot-auto renew to perform the renewal of the certificate. However, it will only renew if it’s 30 days away or less to expire. So you can create a cronjob to run every week without any problem.

Edit your crontab and insert the following entries:

30 2 * * 1 /usr/local/sbin/certbot-auto renew >> /var/log/le-renew.log
35 2 * * 1 /etc/init.d/nginx reload

A log of the output of certbot-auto renew will be available in the path shown above.

Conclusion:

Easy to install and maintain. You can also improve it using a strong encryption.