If you have read many articles on privacy tips, you will surely come across a tip that asks you to install the “HTTPS everywhere” extension so that it will automatically redirect you to the HTTPS version of the website whenever possible. The bad thing is the HTTPS everywhere extension works only when the website you are visiting has implemented SSL, and for most webmasters, that can be a difficult (and costly) task by itself. Luckily, with the Let’s Encrypt movement, it is easier for webmasters to add SSL certificates to their sites now.
In the past (and currently), setting up an SSL certificate requires you to first generate a private key on your server, then buy an SSL certificate from the Certificate Authority (which can be expensive), and lastly, set it up in the server. There is a lot of technicality involved in the process, and not doing it correctly will render the SSL certificate useless. With the Let’s Encrypt project, one can quickly add an SSL certificate to their sites without any cost. And being backed by big industry players like Mozilla, Akamai, Cisco, EFFIf you and Google, it is supported by most browsers and operating systems.
In this tutorial we will go through the steps to set up the Let’s Encrypt SSL certificate in the Nginx server. We are using a Ubuntu 14.04 server for this tutorial and assume your are using a working Nginx Ubuntu server. The instruction might differ for Ubuntu 16.04 server.
Install Let’s Encrypt
First, to install Let’s Encrypt, you will need
git to clone it from its git repository. Install git with the following command:
Once installed, clone the Let’s Encrypt’s repository:
Setting up the environment
Before we proceed to install and set up the SSL certificate, it is important to allow access to the
.well-known folder in the web root directory. By default, all files and folders with a “.” in front of the filename are hidden and not accessible to the public. However, in this case we will need to provide permission for the public to access the
.well-known folder, as this is where Let’s Encrypt will store a special file for validation.
Proceed to your Nginx site configuration folder and open it (if you have a custom configuration file for your site) or use the default:
Add the following lines in the server block:
Save (Ctrl + O) and close (Ctrl + x) the configuration file.
Test your Nginx configuration:
If all configuration works fine, reload the configuration:
Generate an SSL Certificate
Now that you are done with the Nginx configuration, the next thing is to install the SSL certificate.
Go to the Let’s Encrypt folder:
Run the following command to generate the certificate:
There are a few things to change here:
- Change the
webroot-pathto your site’s document root path. The default is “/user/share/nginx/html,” but your configuration might differ.
- Change “example.com” to your own domain name. Do note that “example.com” and “www.example.com” are two different domains. If you want the certificate to support multiple domains, simply add
-d example1.comto the end of the command. For example, to set up an SSL certificate for the domains “example.com”, “www.example.com”, “example1.com” and “www.example1.com,” use the following command:
On the first run the script will install a bunch of Python files in your system. Once it is done, it will begin the certificate generation process. First it will ask for your email address:
After that you will be prompted to read the Terms of Service over at the Let’s Encrypt website. Select “Agree.”
If you see the following message:
That means you have successfully generated an SSL certificate for your site(s). If instead you see an error message, then fix the error and retry again.
Activating the SSL certificate for your site
Now that you have generated the SSL certificate, it is time to activate it for your site.
Return to the Nginx configuration folder and open the site’s configuration file:
cd /etc/nginx/sites-available sudo nano default
Create a new server block and add the following configuration inside the block:
Save and close the file.
Note: the above is a simplified version of the Nginx configuration block. You should add in your own custom configuration into the block.
Lastly, test the configuration:
If everything is fine, reload Nginx:
That’s it. You have successfully set up an SSL certificate for your sites. You can now load the “https” version of your URL to see it in action.
Auto-Renewing a Let’s Encrypt SSL Certificate
Unlike most commercial SSL certificates that are valid for a minimum of one year, a Let’s Encrypt’s SSL certificate is only valid for three months. After this time you will have to renew to continue using it. Let’s Encrypt comes with a
renew option so you can easily renew your certificates without going through the whole installation again. The following instructions show you how to set up a cron job to auto-renew your SSL certificate.
Still in your server, open the crontab:
Add the following lines:
The above lines will check the expiry date of your SSL certificates every Monday at 12am and renew them if it is close to expiry. It will also reload Nginx (at 12.05am) to ensure the renewed certificate is in use.
Save and close the crontab.
If you are running a small website and are keen on adding SSL to your site, Let’s Encrypt is a great option to add credibility to your site. It is (relatively) easy to set up and costs nothing (free, as in beer), so there is no reason not to make use of it. However, since it only provides a Domain-Validated (DV) certificate (the most basic kind of SSL certificate) for those companies that requires Organization-Validated (OV) or Extended-Validation (EV) SSL certificates, a commercial SSL certificate is probably the way to go.