December 4, 2015

Using Letsencrypt with Nginx

HTTPS ALL THE THINGS

Letsencrypt.org has just entered its public beta period. This means that you can get ssl certificates really easily and for free. Letsencrypt’s certificates are up to modern specs and fully accepted by all browsers, so you no longer have any excuse not to have SSL on all your domains.

This post will hold your hand through the process of moving your Nginx site from http to https.

1. Install LetsEncrypt

You’ll want to install letsencrypt on the server that hosts your domain. The Github Project for letsencrypt contains detailed instructions, but basically, you just need to check out the project:

$ git clone https://github.com/letsencrypt/letsencrypt

Once you cd into the new letsencrypt directory, you can run ./letsencrypt-auto at your leisure. This is a script that handles its own updates and dependencies, so you can go ahead and run it as if you’ve finished the installation – it should do the rest. If it doesn’t, any errors should be pretty easy to track down from the output, but you might need to take care of some deps manually.

2. Generate a certificate

I used the --standalone method to get some certs. This requires that you first stop nginx so it can bind itself to port 80 (you’ll also be asked for a sudo password if necessary).

$ service nginx stop

After that, you’ll just need to run this command (replacing the email address and domain with your preferred values):

$ ./letsencrypt-auto certonly --standalone --email myemail@example.com -d example.com -d www.example.com

This will generate certs valid for example.com and www.example.com. The certs will end up in /etc/letsencrypt/live/example.com/.

3. Install the cert in Nginx

In short, change your server block to listen on port 443 instead of 80 and tell it to use ssl. These commands should be near the top of your configuration, like so:

server {
    listen 0.0.0.0:443 ssl;  # was 80, added ssl
    server_name example.com;

Then you’ll need to enable ssl and direct nginx to your certificate and key. You’ll want to use fullchain.pem for the former and privkey.pem as the latter. Just drop the following commands in your server block; right after the server_name is a reasonable place:

    ssl on;
    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

4. Set up a redirect from your http site

You’ll want to make sure people can still find your site, so set up a permanent redirect to the new https url. Just put a block like the following at the top of your configuration file. This will define a new listener at port 80 (http) that will redirect requests from i.e. http://example.com/some/path to https://example.com/some/path.

As an aside, if you want www.example.com to work as well as example.com, make sure it’s a permanent redirect so you don’t get penalized by google.

server{
    listen 80;
    server_name example.com www.example.com;

    location / {
        rewrite ^(.*)$ https://example.com$1 permanent;
    }

}

5. All done!

In summary, letsencrypt.org is an awesome service that (finally) makes it easy possible to automatically generate an SSL cert. You should definitely give it a try right away.

A special message

This is where the affiliate links live, but hear me out! I use these two services every day, and I wouldn't recommend them if I wasn't satisfied.

DigitalOcean - Purveyors of fine (and inexpensive) virtual servers. I use DigitalOcean to host Address Bin and a few others; it's my go-to host. Use this referral link for a $10 credit.

AirBnb - I've been living in AirBnbs for over a year now, and plan to for many more. If you've ever wanted to try them out, you can get a $25 discount from this referral link.