Or in other words, Zero to SSL in three minutes

I was really excited about the Let's Encrypt free ssl service since their first announcement. But I never tried to install it, mainly as I found the documentation a bit difficult to follow. Today, after reading the article in nginx blog, I've decided to give it a try and I was quite surprised to see how simple and easy is to install the ssl certificate using the let's encrypt client. I will breifly explain the process in simple steps.

1. Install Let's Encrypt client

You can install the Let's encrypt client by simply cloning the repo using Git.

git clone https://github.com/letsencrypt/letsencrypt
cd letsencrypt

2. Obtain Certificate

./letsencrypt-auto certonly --webroot -w /var/sites/blog.shameerc.com/ -d blog.shameerc.com

If everything went well, you will be presented with the following message (as of the time of writing)

Checking for new version...
Requesting root privileges to run letsencrypt...
   /home/ubuntu/.local/share/letsencrypt/bin/letsencrypt --no-self-upgrade certonly --webroot -w /var/sites/blog.shameerc.com/ -d blog.shameerc.com

 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/blog.shameerc.com/fullchain.pem. Your cert will
   expire on 2016-05-23. To obtain a new version of the certificate in
   the future, simply run Let's Encrypt again.
 - If you like Let's Encrypt, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

3. Update Nginx/Apache Config

If you are already running an nginx server, there are two important things to update in the virtual host configuration.
- Change listen directive to listen 443 port.
- Add the certificate chain and private key, which are the following in this case.

ssl_certificate /etc/letsencrypt/live/blog.shameerc.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/blog.shameerc.com/privkey.pem;

If you are interested, here is my full vhost configuration for this blog.

server {
    listen 443 ssl;

    root /var/sites/blog.shameerc.com;
    index index.php index.html index.htm;

    server_name blog.shameerc.com;

    ssl_certificate /etc/letsencrypt/live/blog.shameerc.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/blog.shameerc.com/privkey.pem;

    try_files $uri /index.php;

    location ~ \.php$ {
        fastcgi_connect_timeout 3s;
        fastcgi_read_timeout 10s;
        fastcgi_pass unix:/run/php/php7.0-fpm.sock;
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        include fastcgi_params;
    location ~/\.ht {
        deny all;

And we are done! Now open the site using HTTPS URL. You will see the nice little green lock in the address bar.

4. Renew Certificates

We can renew the letsencrypt certificates using /opt/letsencrypt/letsencrypt-auto renew. To enable automated renewal, add the following as a cron job (modify the path to letsencrypt installation directory if required).

./opt/letsencrypt/letsencrypt-auto renew --quiet --no-self-upgrade
Tags : sslsecurity
blog comments powered by Disqus