/ Nginx

Successfully setting up SSL from LetsEncrypt on my Ghost blog hosted on Ubuntu 15.04 served via NGINX

LetsEncrypt entered Public Beta yesterday and is issuing HTTPS certificates for free. This is a huge thing for the internet for all reasons you could imagine.

The documentation although good is still nascent. For novices, like me, getting LetsEncrypt working for apps hosted on NGINX seems quite a challenge.

After going through some well written posts (see resources section below), I was finally able to setup SSL on my Ghost Blog served via NGINX.

FWIW, these steps worked for me!

Install Let's Encrypt

git clone https://github.com/letsencrypt/letsencrypt
cd letsencrypt
./letsencrypt-auto --help

Obtain the certificate from Let's Encrypt

First, temporarily stop NGINX

sudo service nginx stop

This was the tough part! NGINX isn't setup "out-of-the-box" yet as stated in the docs.

The manual way to generate the key is to run:


./letsencrypt-auto --agree-dev-preview --server  https://acme-v01.api.letsencrypt.org/directory auth

You will be greeted with a simple neat blue screen with clear instructions to be followed. After following the instructions and entering the needed details, I was presented with this successful message! :-)

IMPORTANT NOTES:
 - If you lose your account credentials, you can recover through
   e-mails sent to [email protected].
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/santoshsrinivas.com/fullchain.pem. Your cert
   will expire on 2016-03-03. To obtain a new version of the
   certificate in the future, simply run Let's Encrypt again.
 - Your account credentials have been saved in your Let's Encrypt
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Let's
   Encrypt so making regular backups of this folder is ideal.
 - If like Let's Encrypt, please consider supporting our work by:
   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Setup NGINX to use the certificates

My NGINX config file is as follows.

#redirect server block
server {
    listen [::]:80;
    listen 80;
    server_name santoshsrinivas.com www.santoshsrinivas.com;
    return 301 https://www.santoshsrinivas.com$request_uri;
}
server {
    server_name www.santoshsrinivas.com; # Replace with your domain
    access_log /var/log/nginx/www_ss.log;
    listen [::]:443 ssl spdy;
    listen 443 ssl spdy;
    server_name santoshsrinivas.com;
    ssl_certificate /etc/letsencrypt/live/santoshsrinivas.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/santoshsrinivas.com/privkey.pem;
    include h5bp/directive-only/ssl.conf;
    include h5bp/directive-only/ssl-stapling.conf;
    include h5bp/directive-only/spdy.conf;
    location / {
        proxy_pass http://localhost:1407;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $http_host;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_buffering off;
    }
}

The h5bp config files can be obtained from h5bp/server-configs-nginx.

Test and Restart NGINX

sudo nginx -t
sudo service nginx restart

You can check your Nginx SSL configuration from SSL Server Test (Powered by Qualys SSL Labs)

That's it! My blog is running on HTTPS

The current certificate is valid only for three months. I am sure Let's Encrypt will provide more direction on auto-updating the certificates for NGINX by then! :-)

Renewing the certificate

This can (and should be automated using a cronjob), but this command works for now! (Note: Modify below to use your installation directory of letsencrypt)

sudo service nginx stop
sudo ~/.local/share/letsencrypt/bin/letsencrypt renew
sudo service nginx restart

UPDATE

LetsEncrypt seems to have updated its software. Following works for me for renewals:

sudo certbot --nginx certonly

Resources