Let's Encrypt Beta Cert on Nginx
I have been excited about ‘Let’s Encrypt’ since it was first announced. A free, automated, and open Certificate Authority will take the Internet to the next level.
I am a huge “HTTPS Everywhere” proponent. Back in the early 2000s, when I was a webmaster for a bank, they required that anything sent through the website be encrypted. Of course the Online Banking system was fully SSL encrypted, but this requirement was related to the main informational WWW site. The users would browse the site with HTTP, but then the link to Contact Us form went through HTTPS, and after it was switched back to HTTP.
This was a pain as I had to link to the full url of the HTTPS site. This caused a bit of pain while testing, as you would hop over to the production site from the test site. Anyways long story short, from that moment on I said “Just make it all HTTPS”, redirect all HTTP links to HTTPS for the entire site. I got pushback because it was “slower” but a few years later other major banks starting doing this so I had precedent to make it the way I wanted.
Spending a few years in the Information Security area of that same bank showed me the horrors that float around the Internet every second of every day. This nailed it for me that nothing should be transmitted in the clear, especially passwords. Check your Email, someone snooped it and now has your password. Login to an FTP site, now someone has your password again. Most people use the same password for lots of things, now some bad guy can login to your bank account and many other sites.
Slowly measures have been improving. Multi-factor authentication, out of band access notifications, encryption on FTP and Email, password managers that can generate long random passwords are a huge help.
But one of the huge barriers has been the cost of SSL/TLS Certificates. A business can absorb the cost, but someone like me who runs a small server, it is a pain point. I did do some self-signed certificates for a while, but then paid for a real trusted certificate. But the cost of $100+ per year is just crazy.
I have been following Let’s Encrypt closely. In Nov 2015 I requested my main domain G25.org be added to the closed beta. To my surprise a day later I was accepted. Now I just needed to figure out how to set it up.
I use Nginx as my webserver, I also want to use the same certificate on my SMTP and IMAP servers. Let’s Encrypt is now quickly moving to Open Beta and to full general availability so depending on when you read this and if I have updated it, things might be different. Let me walk you through what I did to get https://g25.org/ working with Let’s Encrypt.
I found their Beta signup form almost by accident. It is buried in some blog post. I am not going to put the link here as I am sure it be obsolete very soon. I sent them my domain “g25.org” and my email.
Receive Invite Email
I received an email from Let’s Encrypt telling my g25.org and www.g25.org have been whitelisted, and will issue a cert when requested thru the client program.
The most confusing part was where to install it. I am to clone the GitHub repo, which is easy for me since I use those tools daily. But where to? Do I just do it into my home directory? One of the things I dislike about Linux, there is no real “Program Files” or “Applications” area, people just stick things wherever. I figure I could do /opt or something like that.
Login through ssh as my regular user, then su to root. I tried running under sudo and as my regular user and it was acting weird, so doing all this as root seems to be best.
This all installed the client, launched apt-get and installed some needed packages. Now let’s do the deed.
Like I mentioned before I am using Nginx, and it seems Let’s Encrypt can automagically setup SSL for all your sites. But as of Nov 2015 the nginx plugin is experimental, plus I would rather just do some manual updates this early on in the game.
The client somehow binds to port 80 to receive the certificate. I guess this is not an issue with the supported plugins or the automatic methods, but this standalone is the route I went so I needed to stop my webserver, which of course took down all my sites. Meh, no different then a reboot, so I did this in an “off” time aka early morning.
service nginx stop
A dialog came up asked for my email and to agree to the Beta.
It then did the cert creation. It told me where it was stored and when it would expire.
I then started the webserver again.
service nginx start
I modified my /etc/nginx/sites-available/g25.org file and changed out the cert and key file.
Note, nginx needs the full chain in a single file, and not just the cert file for the site.
service nginx reload
Checked the site and there it was.