Install "Let’s Encrypt" with NGINX and Phusion Passenger
We all need more SSL! But installing SSL certificates is a big PITA. Let’s Encrypt is a new certificate authority (CA) offering free and automated SSL/TLS certificates.
Certificates issued by Let’s Encrypt are trusted by most browsers in production today (including even some filthy ones like the Internet Explorer on Windows Vista).
Installing “Let’s Encrypt” is fairly easy:
bash$ apt-get update
$ apt-get install -y git
$ git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt
$ cd /opt/letsencrypt
$ ./letsencrypt-autoPreparing for Domain Validation
“Let’s Encrypt” validates the domain by requesting a public file from your server. To add that file you need to adapt your nginx.conf:
bashserver {
listen 80 default_server;
server_name 9elements.com www.9elements.com;
location /.well-known/acme-challenge {
root /home/9elements/letsencrypt;
}
...
}and then restart your NGINX.
Generate the certificates
bashcd /opt/letsencrypt/
./letsencrypt-auto certonly -a webroot --webroot-path=/home/9elements/letsencrypt -d 9elements.com -d www.9elements.comthis should output something like this:
bashChecking for new version...
Requesting root privileges to run letsencrypt...
/root/.local/share/letsencrypt/bin/letsencrypt certonly -a webroot --webroot-path=/home/9elements/letsencrypt -d 9elements.com -d www.9elements.com
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/9elements.com/fullchain.pem. Your cert will
expire on 2016-07-13. To obtain a new version of the certificate in
the future, simply run Let's Encrypt again.
- If you like Let's Encrypt, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-leIf it doesn’t try to put a file inside the “.well-known” directory and try to get.
bashmkdir /home/9elements/letsencrypt/.well-known/acme-challenge
$ echo "bar" > /home/9elements/letsencrypt/.well-known/acme-challenge/foo.txt
$ curl http://9elements.com/.well-known/acme-challenge/foo.txtFinally you should have the certificate and the corresponding private key in your /etc/letsencrypt/live/9elements.com/ directory.
Configuring NGINX to use the certificates
Now configure your NGINX server:
bashserver {
listen 443 ssl;
server_name 9elements.com;
ssl_certificate /etc/letsencrypt/live/9elements.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/9elements.com/privkey.pem;
}and then restart your NGINX.
Testing
This command is OSX only but it helps to test various SSL diagnostics
nscurl --ats-diagnostics --verbose https://9elements.comAll results should PASS.
Automatic renewal
Let’s Encrypt certificates are only valid for 90 days. This is why we create the following script in /opt/letsencrypt/renew-letsencrypt.sh to renew them automatically and restart NGINX:
bash#!/bin/sh
cd /opt/letsencrypt/
./letsencrypt-auto renew
if [ $? -ne 0 ]
then
ERRORLOG=`tail /var/log/letsencrypt/letsencrypt.log`
echo -e "The Let's Encrypt cert has not been renewed! \n \n" \
$ERRORLOG
else
nginx -s reload
fi
exit 0Create /var/log/letsencrypt/ if it doesn’t exist. And run crontab -e to run the script every two month:
0 0 1 JAN,MAR,MAY,JUL,SEP,NOV * /opt/letsencrypt/renew-letsencrypt.shFinal thoughts
Working with Let’s Encrypt was pretty straightforward. In the beginning we were afraid that it won’t work directly with Phusion Passenger (e.g. where to put the .well-known directory) but actually that part was a breeze. All we have to say is “Let’s Encrypt”…
One drop of bitterness: Wildcard certificates are currently not supported - but we’ll stay tuned.
PS: 9elements is a worldwide recognized software development consultancy. We work with techologies like React, Elixir and Ruby on Rails. If you like to play with new technologies: We’re hiring! If you just want to listen follow us on Twitter or like us on Facebook.
