Let's Encrypt - nginx!

So, December 3rd saw the public beta release of “Let’s Encrypt”, a free, automated and open certificate authority from the Internet Security Research Group. I’ve tried out their client on Apache2 and all I can say is that it is the easiest and cheapest way of getting your site on SSL.

When it comes to nginx, things aren’t quite as simple. As I write this the nginx plugin isn’t yet supported, probably because nginx config comes in all shapes and sizes dependent on version, os and package maintainer.

Luckily, Let’s Encrypt still keeps things simple for those of us who are OK doing a bit of the manual work.

Let’s Encrypt. Download from the git repository and run the setup.

git clone https://github.com/letsencrypt/letsencrypt
cd letsencrypt
./letsencrypt-auto --help

Excellent. Here’s the bit where we deviate to work on nginx. Run the following, replacing the domain for your own:

./letsencrypt-auto --standalone certonly -d xan-manning.co.uk

You may get prompted to stop nginx, unfortunately you cannot continue until you do.

So now we have all the certificates and keys we need in /etc/letsencrypt/live/xan-manning.co.uk/ it’s time to configure nginx. Let’s make a diffie-hellman param file.

openssl dhparam -out /etc/nginx/dh.pem 4096

Now to make our vhost listen on SSL. We’ll also enable spdy while we are here, if your version of nginx doesn’t support spdy then feel free to miss this out. Configure the top of your vhost server block as below:

server {
    listen 443 ssl spdy;
    listen [::]:443 ssl spdy;
    server_name xan-manning.co.uk
    ssl_certificate /etc/letsencrypt/live/xan-manning.co.uk/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/xan-manning.co.uk/privkey.pem;

    ssl_dhparam /etc/nginx/dh.pem;

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_session_timeout                 30m;
    ssl_session_cache                   shared:SSL:10m;

    ssl_stapling                        on;
    resolver                  ;
    ssl_stapling_verify                 on;

    add_header                          Strict-Transport-Security max-age=31536000;

And we should now be done. Run a quick config test.

nginx -t -c /etc/nginx/nginx.conf

All being well, restart the server

service nginx restart

Congrats, you have a free SSL certificate!