Categories
Uncategorized

Let’s Encrypt the web!

Or at least your own personal websites. Let’s encrypt is, according to their website,  “a free, automated, and open certificate authority (CA), run for the public’s benefit. Let’s Encrypt is a service provided by the Internet Security Research Group (ISRG).”

In summary, they provide valid and trusted SSL certificate for commoners like you and me for free! Great stuff, no need for using self-signed certificates! First you need to obtain their client certbot. They provide a plugin to work directly with nginx, but I didn’t have much luck with it (it is worth mentioning that it is still in experimental phase). Here, I’ll show how to manually create your certificates and add them to nginx.

As root, do:

# certbot certonly --manual

Then enter your domain (or subdomain). And it’ll give you something like:

mkdir -p /tmp/certbot/public_html/.well-known/acme-challenge
cd /tmp/certbot/public_html
printf "%s" SOMETEXTANDNUMBERS > .well-known/acme-challenge/SOMETEXTANDNUMBERS
# run only once per server:
$(command -v python2 || command -v python2.7 || command -v python2.6) -c \
"import BaseHTTPServer, SimpleHTTPServer; \
s = BaseHTTPServer.HTTPServer(('', 80), SimpleHTTPServer.SimpleHTTPRequestHandler); \
s.serve_forever()"

Make sure varnish/nginx are not running, copy the code and run it (as root), then press enter. If you encounter errors, you might need to install the python packages for BaseHTTPServer and SimpleHTTPServer. Once you do that, the certificates will be stored at /etc/letsencrypt/live/yourdomain/fullchain.pem and the key to /etc/letsencrypt/live/yourdomain/privkey.pem, where “yourdomain” is the domain you sent to the script.

Last step is to add these lines to your nginx configuration:

server{
(...)
ssl_certificate /etc/letsencrypt/live/yourdomain/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/yourdomain/privkey.pem;
(...)
}

You should be ready to run nginx/varnish now. The certificates are valid for 3 months, to renew them, simply follow the same instructions again. (;

That should be all! Good luck.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.