I have no problems admitting that I'm always finding SSL and certs and stuff like that confusing. And Let's Encrypt is no exception. However, with Let's Encrypt, apparently, all you need to do is download their software and run a command to get a couple of certificate files. No websites or forms to fill in. No need to create a
.csr file. How hard can it be? After skimming some documentation and other blog posts I dug in. Turns out, it was quite doable.
To install it, I ran:
# pwd /root # git clone https://github.com/letsencrypt/letsencrypt # cd letsencrypt # pip install cryptography # ./letsencrypt-auto
The reason I had to manually
pip install cryptography was because the installer in
./letsencrypt-auto failed the first time.
Now it should be installed. To create the cert you have to temporarily stop Nginx. But I had to be quick because I don't want it to be down for long:
# /etc/init.d/nginx stop # ./letsencrypt-auto certonly --standalone -d autocompeter.com # /etc/init.d/nginx start
The first time I ran this I got
Error: urn:acme:error:badNonce :: The client sent an unacceptable anti-replay nonce :: JWS has invalid anti-replay nonce which, according to this discussion is easy to bypass; simply try again. So I tried again, and the second time it worked.
This time it worked! Now I have 4 new files:
# ls -l /etc/letsencrypt/live/autocompeter.com/ total 0 lrwxrwxrwx 1 root root 32 Jan 25 08:04 cert.pem -> ../../archive/autocompeter.com/cert1.pem lrwxrwxrwx 1 root root 33 Jan 25 08:04 chain.pem -> ../../archive/autocompeter.com/chain1.pem lrwxrwxrwx 1 root root 37 Jan 25 08:04 fullchain.pem -> ../../archive/autocompeter.com/fullchain1.pem lrwxrwxrwx 1 root root 35 Jan 25 08:04 privkey.pem -> ../../archive/autocompeter.com/privkey1.pem
Now add these lines to the Nginx config for that site:
listen 443; ssl on; ssl_certificate /etc/letsencrypt/live/autocompeter.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/autocompeter.com/privkey.pem; ssl_session_timeout 5m; ssl_session_cache shared:SSL:50m;
The new cert I just created expires in about 2 months. I created an entry in my calendar with an alert. I think I just need to run:
# /etc/init.d/nginx stop # ./letsencrypt-auto certonly --standalone -d autocompeter.com # /etc/init.d/nginx startFollow @peterbe on Twitter