January 2, 2016 · website

Let's Encrypt!

This is out of date, certbot can install on nginx automatically and will handle cert renewals.

Since my readership is pratically zero, I doubt anyone has noticed, but this site now runs with a brand spanking new cert from Let's Encrypt! If you're running Apache, the process to get this setup is automated and just takes a few commands.

However, if you're running nginx like myself, then you're going to have to work a little.

Installing Let's Encrypt does not change from its documentation, though when you goto obtain a cert you will need to use the ./letsencrypt-auto certonly --standalone command in order to config and download the cert files. Do not forget to list your non-www domain and www domain, i.e., joshruppe.com and www.joshruppe.com.

After you have the files, make note of the directory they are placed in (/etc/letsencrypt/live/domain.com/). Now you need to edit the nginx configuation file under /etc/nginx/sites-available/. If you have another configuration, you can tell which is active by going to /etc/nginx/sites-enabled/ the symlink there will be for the active config.

Open that file and comment out the below:

listen 80 default_server;
listen [::]:80 default_server ipv6only=on;

and add this:

listen 443 ssl;
server_name domain.com www.domain.com;
ssl_certificate /etc/letsencrypt/live/domain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/domain.com/privkey.pem;

In the same file, outside of the original server block. Add the below to redirect port 80 traffic to your new HTTPS enabled site:

server {
listen 80;
server_name domain.com;
return 301 https://$host$request_uri;
}

Once that is finished simply run service nginx restart and you should see an awesome https:// in front of your domain. Keep in mind you will need to renew your Let's Encrypt cert every 90 days. You can easily create a cron job to take care of this though.