Free SSL (well TLS) certificates for all! The Let's Encrypt project has now gone into public beta, so anyone can go get a certificate and move to HTTPS. Very nice indeed.

Here was my experience setting it up on a novelty website, just to test things out. My server runs Ubuntu and the Nginx web server. If you have the same, you can follow along.

I used the official documentation and found this post by David Zych very helpful.

Getting and installing the Let's Encrypt client

The recommended way of getting the client software is to clone the GitHub repository. But first, make sure you have Git installed. Just try running git on your command line and see if it runs. If not, install it by running:

sudo apt-get install git

Once you have git, clone the Let's Encrypt repository and enter it's directory with:

git clone https://github.com/letsencrypt/letsencrypt
cd letsencrypt

Running the client to get a certificate

Currently only Apache is fully supported, so Nginx users are advised to use the standalone method to get a certificate.

Stop Niginx

First, stop the Nginx server:

sudo service nginx stop

Run letsencrypt-auto

Then run the letsencrypt-auto script. The first time it runs, it installs any missing dependencies. I used the following command to get my certificate (note I've used a dummy email here).

./letsencrypt-auto certonly --agree-tos --standalone --email youremail@yourdomain.com -d www.gormaniancalendar.work -d gormaniancalendar.work

This command should run without prompting for further information (other than a password prompt if you sudo session has expired). This is useful when it comes to renewing certificates later.

The whole process happens relatively quicking. The certificate files are stored in the directory:

/etc/letsencrypt/live/www.yourdomain.com

It's the fullchain.pem and privkey.pem files that will be needed when setting up Nginx.

Configuring Nginx is use SSL

Go to wherever your server is defined. This might be in the sites-available directory or in /etc/nginx/conf.d/default.conf. You'll want to change the listening port number from 80 to 443, turn on SSL and tell Nginx where to find the certificate files. So now my server block looks like this:

server {
  listen 443 ssl;
  ssl_certificate /etc/letsencrypt/live/www.gormaniancalendar.work/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/www.gormaniancalendar.work/privkey.pem;

  server_name www.gormaniancalendar.work gormaniancalendar.work;
  root /var/www/gormanian_calendar;
  index index.html;
}

To make sure everybody gets to your encrypted site, let's direct anybody going to the old http site to the https one. This also works for any old links to your site that may be lurking around the Internet. Add the following server block to your Nginx config file (not forgetting to alter the domain name):

server {
  listen 80;
  server_name www.gormaniancalendar.work gormaniancalendar.work;

  location / {
    rewrite ^(.*)$ https://gormaniancalendar.work$1 permanent;
  }
}

Check Nginx configuration

Make sure to check the state of the Nginx configuration using the following command:

sudo nginx -t

If it fails, double check your config file. If all is OK, carry on.

Restart Nginx

Go ahead ahead and restart Nginx:

sudo service nginx start

You now should be able to go to your site and get the secure https version. Here's mine https://www.gormaniancalendar.work.

I didn't get a green padlock at first, as my site was pulling in an image from a http site, but once I hosted the image on my server, the green padlock appeared.

Certificate renewal

There is a slight price to pay for all this new free goodness. The Let's Encrypt certificates are only valid for 90 days. This is for extra security, as there could be a lot of certs that might escape the control of their users (e.g. a website gets forgotten about and the private key leaks out).

To renew your certificate, you just need to go through the process above again. Every 90 days. Not too convenient. Let's Encrypt are working on an automated system, but in the meantime, you could write a cron script that stops Nginx, runs the letsencrypt-auto command and restarts Nginx. This could be set to run every 60 or 70 days.

You will get an email notification when your certificate to close to expiring, so that it another safety net. If you don't do anything, your site will effectively go offline. No good.

Reflections

This is a great service and allows everyone to freely encrypt their websites. Renewal is probably the only current challenge to manage, but should get better over time. Go encrypt!