I've been absolutely buzzing about LetsEncrypt since it was first announced. It was a long overdue addition to life on the web. In this post-Snowden era, encryption has never been more important. So went I set up this blog (and am soon to set up the main site) I decided to give it a go.
Below is what it took me to get an SSL Certificate up and running with LetsEncrypt. It was fairly painless but there were a few little glitches along the way.
Firstly, I fired up an instance of Ubuntu 14.04.3 on Digital Ocean and set up my users and public key authentications. My bible for this sort of thing is Bryan Kennedy's My First 5 Minutes On A Server. It's just the basics but is a handy reminder about how to set up users, firewalls etc.
Once that's done I log in as my newly created, non-root user and install Git:
sudo apt-get install git
The next issue is that Ubuntu 14.04.3 is pre-loaded with Python 2.7.6 (come on now, Python3 is 6 or 7 years old now!). The LetsEncrypt client requires Python 2.7.9 or higher in order to support some SSL features in urllib3 which I assume is related to one of my favourite Python packages: Requests.
To upgrade to 2.7.11 we simply run the following commands:
sudo add-apt-repository ppa:fkrull/deadsnakes-python2.7 sudo apt-get update sudo apt-get upgrade
Next we need to install PIP:
sudo apt-get install python-pip
And then we need to upgrade the Python https client:
sudo pip install --upgrade ndg-httpsclient
(at this stage I can't quite remember if I also had to install urllib3 but I don't think I did.)
Next I installed Nginx:
sudo apt-get install nginx
An now we should be ready to install LetsEncrypt:
git clone https://github.com/letsencrypt/letsencrypt cd letsencrypt ./letsencrypt-auto --help
All going to plan that ran smoothly with no errors, so now it's time to get your certificates. First of all we need to stop Nginx:
sudo nginx -s stop
Then install the certificates with this command:
./letsencrypt-auto certonly -d example.com -d blog.example.com --email email@example.com
You should now have your certificates tucked away in
I'll leave the Nginx vhost configuration to you as it will vary so widely, but the two important lines that need to be added are:
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem
Once you've done that, you can restart Nginx:
The last step is to set up a cron to renew the certificate regularly. They expire every 90 days so I've set mine up to renew on the first day of every second month.
The super simple shell script I use looks like this:
#!/bin/bash nginx -s stop /bin/su - footy -c "/home/footy/letsencrypt/letsencrypt-auto certonly --renew-by-default -d afltipster.com -d blog.afltipster.com --email firstname.lastname@example.org" nginx
Then I set up the cron as root:
sudo crontab -e
... and add the following line:
0 0 1 2,4,6,8,10,12 * sh /home/<user>/renew_all.sh
And that's it. Congratulations to all the team behind LetsEncrypt - you've done a super job!