Using Let’s Encrypt to SSLify a site in 10 minutes for free

Author: Stuart Maynes

It’s pretty much a given now that SSL is the future. The internet needs secure communication.

Until now, SSL certificates have been expensive and cumbersome to acquire. You can easily put down upwards of £100 on a domain validated SSL certificate. £100! But that’s been the price of security and a price most businesses are happy to pay for the sake of keeping their customers safe. Good for them! Unscrupulous companies have been attempting to exploit this market for years with offers of higher ‘warranties’ which nobody has ever claimed on in the history of the internet.[citation needed]

Let’s Encrypt is hugely lowering the financial and technical barriers to entry. Imagine the ability to generate and use domain validated SSL with one command (sometimes) and for zero pounds and zero pence. That’s the future that they’re promising and it’s already here!

Ready to see how easy it is to secure an nginx site?

Step 1: Download the lets-encrypt package.
$ git clone https://github.com/letsencrypt/letsencrypt
Step 2: Run
$ ./letsencrypt-auto certonly -a manual --rsa-key-size 4096

Step 3: Fill in the required information

Step 4: Edit your nginx config to use SSL and redirect non-SSL to SSL

Beware, this nginx config enables HSTS which you may or may not want. It also uses a cipher suite not compatible with some older browsers. It will score at least an A on the SSL Audit though. (A+ appears to be reserved for using a custom DiffieHellman params file which takes over an hour to generate on my VM.)

Step 5: Restart nginx.

You’re done.

Screen Shot 2016-03-01 at 15.30.38

It really is as simple as that and it didn’t cost a penny. Better yet, if you use Apache then it’ll configure the server for you!

Watch out though!

Let’s Encrypt certificates have a relatively short validity (only a few months) so you need to renew them more often than you normally would. Renewing is pretty simple, just run the letsencrypt-auto binary with the ‘renew’ argument and you’re all set.