Free SSL/TLS Certificates with Nginx and Let’s Encrypt

As you might have already noticed, I am now running this site with a SSL certificate provided by Let’s Encrypt. Formerly only enabled to another domain hosted here.

For those who don’t know Let’s Encrypt, it’s a free automated, and open certificate authority. You can literally have a SSL certificate on your hosting in minutes.

You can easily install it with the following instructions. Keep in mind that the instructions are for Ubuntu 14.04, so some steps may differ.

Install Let’s Encrypt client.

Download the script and make it executable:

cd /usr/local/sbin
sudo wget https://dl.eff.org/certbot-auto
sudo chmod a+x /usr/local/sbin/certbot-auto

Check your package manager for letsencrypt. Ubuntu 16.04 already have it.

Obtain the certificate.

To generate the certificate the client will create a temporary file on your webroot. You need to allow the access to the file adding the following to your nginx server block configuration:

location ~ /.well-known {
                allow all;
        }

After that, restart your nginx and run the following command:

certbot-auto certonly -a webroot --webroot-path=/var/www/yourwebroot -d yourdomain.com -d www.yourdomain.com

Don’t forget to change your webroot-path and your domain. If needed, add any other sub domain after the -d yourdomain.com. At the prompt insert your e-mail and, after read, accept the agreement.

You will end up with a set of four .pem files.

Set up nginx with SSL.

Edit your nginx configuration file again, you may now remove that .well-knowmentioned earlier. Also remove the listen 80 portion.

listen 443 ssl;
#listen 80; 
server_name www.yourdomain.com yourdomain.com; 
ssl_certificate /etc/letsencrypt/live/yourdomain.com/fullchain.pem; 
ssl_certificate_key /etc/letsencrypt/live/yourdomain.com/privkey.pem;

To redirect all your http traffic to https you should add this server block before the above:

server { 
    listen 80; 
    server_name www.yourdomain.com yourdomain.com; 
    return 301 https://$host$request_uri; 
}

Restart nginx again and test to make sure everything is working as expected.

Set up auto-renewal.

The certificate expires within 90 days, you can run the command certbot-auto renew to perform the renewal of the certificate. However, it will only renew if it’s 30 days away or less to expire. So you can create a cronjob to run every week without any problem.

Edit your crontab and insert the following entries:

30 2 * * 1 /usr/local/sbin/certbot-auto renew >> /var/log/le-renew.log
35 2 * * 1 /etc/init.d/nginx reload

A log of the output of certbot-auto renew will be available in the path shown above.

Conclusion:

Easy to install and maintain. You can also improve it using a strong encryption.

Git repository access control with Gitolite

I already used other version control software like CVS and SVN in the past, but Git was one that really got me because I just felt it easy and intuitive.

Besides having a GitHub account I really don’t see the point of paying US$7/month just to have private repositories when you can roll your own VPS for less than that. Obviously, you can install something more similar to GitHub like GitLab, but, in my opinion, Gitolite is easy to use, fast and works; Keep it simple, sucker!

So, I will give the steps to install and configure on Ubuntu Server 16.04. On other distros the paths and steps may differ.

First of all, you should check existing SSH keys or generate a new set on your machine. (To be honest, if you are already using git you should have your keys)

#to check:
ls -al ~/.ssh
#to generate(linux/mac):
ssh-keygen -t rsa

On Windows machines I advise you to install cygwin with net/openssh package. I prefer that way, but you can try with other methods.

Back to our server, now we should install gitolite3 and git-core:

sudo apt-get install git-core gitolite3

Insert your public key configure gitolite. On older versions you need to create a user and run the setup by yourself, keep that in mind if you are using other distro.

Now you can ssh the gitolite user to list the repositories:

ssh gitolite3@yourdomain.com

You can add some rules and keys cloning the gitolite-admin repository.

git clone gitolite3@youtdomain.com:gitolite-admin

You can now add pub keys for other users(or machines) creating files in the keydir directory. For multiple machines you should use the name convention user@machine.pub, like nimlhug@notebook.pub. On the conf/gitolite.conf file you can add users and repositories.

Checkout the official documentation. Apart from being a non resource-intensive, gitolite is a rich and powerful software that you can make use of RegEx, groups, hooks, VREF, wild repos and much more.