Sign in Subscribe
Tutorial

Let's Encrypt! - Part 2

Leon Hassan

3 min read
Let's Encrypt! - Part 2

In the last post we covered how to install Let's Encrypt, and how to obtain your certificate. We're going to finish up this tutorial now by going over how to configure your SSL/TLS on Nginx and how to set up auto-renewal for Let's Encrypt!

Configuring SSL/TLS on Nginx

Now that we have our certificate, we need to configure our webserver to actually use it! On Nginx we need to edit our configuration that contains our server block. This is located at /etc/nginx/sites-available/default, by default.

sudo nano /etc/nginx/sites-available/default

Find the server block, and delete the lines that configure what port you listen to. By default, these are the two lines that you will delete:

listen 80 default_server;
listen [::]:80 default_server ipv6only=on;

We are going to set our server to listen on port 443, with SSL. So in our server block, where we just deleted the above code we will write:

listen 443 ssl;

server_name example.com www.example.com;

ssl_certificate /etc/letsencrypt/live/example.com;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

Please don't forget to change example.com to your own domain!

If you used the Diffie-Hellman group I talked about earlier, then you will need to add a few more lines of code to your config..

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_stapling on;
ssl_stapling_verify on;
add_header Strict-Transport-Security max-age=15768000;

Now all that's left to do, regardless of if you used a DH group, is to add another server block to redirect http requests to https:

server {
    listen 80;
    server_name example.com www.example.com;
    return 301 https://$host$request_uri;
}

Once again, please don't forget to update example.com with your domain!

Now we can save the file, and restart nginx so that the config it uses gets updated:

sudo service nginx reload

Now all you need to do is test it works by connecting to your site via https!

Setting up auto-renewal for certificates

Let's Encrypt certificates are valid for 90 days and there are plans to add an auto renewal option to Let's Encrypt, but right now it doesn't exist!
To trigger the renewal process for your live domains, you must run the below command:

/opt/letsencrypt/letsencrypt-auto renew

Running this straight after getting your certificate will just give you a message saying that your certificates aren't due for renewal yet.

You can only renew your certificate in the 30 days leading up to it's expiry, not before. So let's make a crontab that will run our renewal script every week.

To edit the crontab to create new jobs, run the following command:

sudo crontab -e

Now we need to add the actual job:

30 2 * * 1 /opt/letsencrypt/letsencrypt-auto renew >> /var/log/le-renew.log
35 2 * * 1 /etc/init.d/nginx reload

This will create a cron job that will run /opt/letsencrypt/letsencrypt-auto renew every monday at 2:30am, and then reload Nginx at 2:35am. The output from this will get piped into a log file located, in the example, at /var/log/le-renewal.log.

That's all! You now have your SSL/TSL certificate, it's installed on your domain(s) and it's in use. Not to mention you don't need to worry about it expiring!

I'll be back with another blog post soon, I'm feeling like I should get around to finishing those Japan posts..