Ever tried installing an SSL certificate on your website? Sucks, doesn’t it? The whole process around procuring and installing SSL certificates is so archaic and cumbersome that it sends shudders through the body of anyone facing it.
After Edward Snowden let the world know that everyone is watching everything you do online, we started to realise that we should be able to use the Internet without every benign and every private bit of data being visible to others. The answer to this problem: encryption.
Encryption scrambles data between the provider (say, a website, server or application) and its end user, such that if the data is intercepted anywhere between the two, it can’t be read. If you own a website, the way you encrypt data sent to and from it is through an SSL certificate.
Late last year, several do-gooders came together and agreed that the status quo for producing and installing SSL certificates was terrible. So they set about changing it, and with the vision of allowing anyone to produce and install an SSL certificate with the greatest of ease and with zero cost, they created Let’s Encrypt: a non-profit certificate issuing authority.
Like some of the big names in the business which charge anywhere from $10 to many hundreds of dollars for an SSL certificate, Let’s Encrypt gives out functionally-identical certificates for free in the name of facilitating widespread encryption on the Internet. See, this is a big deal.
Just yesterday, Let’s Encrypt moved into a public beta, meaning that everything isn’t quite perfect yet, but they’re ready for the masses to start testing their service. So with that, I set about using it to encrypt two sites which I hadn’t yet gone as far as securing yet.
How to install SSL certificate on LEMP with Let’s Encrypt
I personally run a LEMP (Linux, nginx, MySQL, PHP) stack on Digital Ocean for the two sites that I added SSL certificates to, so this tutorial will be focused on that specific configuration, though the process in general is the same for other configs.
In general, the process goes like this:
- Clone Let’s Encrypt git repo.
- Run Let’s Encrypt which creates the certificates.
- Modify your server blocks to include SSL directives.
- Reload nginx.
Install Let’s Encrypt
Let’s Encrypt is installed by cloning their git repo. In general, these commands will perform that for you:
Create SSL certificates with Let’s Encrypt
Let’s Encrypt is now installed and ready to start producing certificates. At this point, the automatic installer doesn’t stop nginx to allow it to bind to port 80, so this needs to be done manually:
Now you can create the certificates. If you want the certificate to cover the www and non-www version of the domain name, you’ll need to specify both in this command. You can specify as many domains as you want to cover with a single certificate:
This command will cause Let’s Encrypt to check your environment and install any necessary dependencies. Once all that’s done, it should tell you that it has created your new certificates:
Certificates are valid for 90 days to improve their security (compromised certificates aren’t then active for years).
If you haven’t needed to before, you’ll also need to create a set of DH parameters:
Add SSL directives to nginx
Now you need to tell nginx to use your new certificates. These config files are located in /etc/nginx/sites-available/. My server block previously looked something like this:
My new server block added a whole lot of SSL-related directives. You can use Mozilla’s SSL config generator to help you with your own. Mine looked like this:
You can see that lines 2-5 in my original config were replaced with lines 2-28 in the new config.
I wanted to achieve a couple of additional things with my new setup – I wanted to force all traffic trying to use the www subdomain to be redirected to the bare domain and to force all HTTP traffic to HTTPS. So, I added a couple of server blocks before this new server block to redirect traffic accordingly:
With that, everything was in place, ready for use. A quick reload of nginx was all I needed to start loading my sites over HTTPS:
Now, running an SSL test on my site, I was instantly scoring an A+, giving you an idea of just how robust these Let’s Encrypt certificates are.