Setting up a new site with LetsEncrypt and Nginx

I've been absolutely buzzing about LetsEncrypt since it was first announced. It was a long overdue addition to life on the web. In this post-Snowden era, encryption has never been more important. So went I set up this blog (and am soon to set up the main site) I decided to give it a go.

Below is what it took me to get an SSL Certificate up and running with LetsEncrypt. It was fairly painless but there were a few little glitches along the way.

Firstly, I fired up an instance of Ubuntu 14.04.3 on Digital Ocean and set up my users and public key authentications. My bible for this sort of thing is Bryan Kennedy's My First 5 Minutes On A Server. It's just the basics but is a handy reminder about how to set up users, firewalls etc.

Once that's done I log in as my newly created, non-root user and install Git:

sudo apt-get install git  

The next issue is that Ubuntu 14.04.3 is pre-loaded with Python 2.7.6 (come on now, Python3 is 6 or 7 years old now!). The LetsEncrypt client requires Python 2.7.9 or higher in order to support some SSL features in urllib3 which I assume is related to one of my favourite Python packages: Requests.

To upgrade to 2.7.11 we simply run the following commands:

sudo add-apt-repository ppa:fkrull/deadsnakes-python2.7  
sudo apt-get update  
sudo apt-get upgrade  

Next we need to install PIP:

sudo apt-get install python-pip  

And then we need to upgrade the Python https client:

sudo pip install --upgrade ndg-httpsclient  

(at this stage I can't quite remember if I also had to install urllib3 but I don't think I did.)

Next I installed Nginx:

sudo apt-get install nginx  

An now we should be ready to install LetsEncrypt:

git clone https://github.com/letsencrypt/letsencrypt  
cd letsencrypt  
./letsencrypt-auto --help

All going to plan that ran smoothly with no errors, so now it's time to get your certificates. First of all we need to stop Nginx:

sudo nginx -s stop  

Then install the certificates with this command:

./letsencrypt-auto certonly -d example.com -d blog.example.com --email hammy@example.com

You should now have your certificates tucked away in /etc/letsencrypt/live/example.com

I'll leave the Nginx vhost configuration to you as it will vary so widely, but the two important lines that need to be added are:

ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem  
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem  

This blog is build on (Ghost)[http://ghost.org] which has a handy guide to setting up Nginx with SSL here.

Once you've done that, you can restart Nginx:

sudo nginx  

The last step is to set up a cron to renew the certificate regularly. They expire every 90 days so I've set mine up to renew on the first day of every second month.

The super simple shell script I use looks like this:

#!/bin/bash

nginx -s stop

/bin/su - footy -c "/home/footy/letsencrypt/letsencrypt-auto certonly --renew-by-default -d afltipster.com -d blog.afltipster.com --email hammy@spiresoftware.com.au"

nginx  

Then I set up the cron as root: sudo crontab -e

... and add the following line:

0 0 1 2,4,6,8,10,12 * sh /home/<user>/renew_all.sh  

And that's it. Congratulations to all the team behind LetsEncrypt - you've done a super job!