Stuart Breckenridge

Let's Encrypt

When I was setting up this version of my website back in June, I decided that it needed to support HTTPS. I purchased a Thawte SSL 123 certificate through Namecheap, completed the certificate signing request formalities, uploaded the files to my server, and then configured nginx to serve the website through HTTPS (my config file is at the bottom of this post).

Around a month ago, I was alerted to Let’s Encrypt. In their own words, Let’s Encrypt is a free, automated, and open Certificate Authority. The fact that it was free was good, but what caught my eye was that it was automated. I immediately signed up to the limited beta and began testing. Below are the steps that I followed:

Logged on to my server, then:

git clone https://github.com/letsencrypt/letsencrypt
cd letsencrypt
./letsencrypt-auto --agree-dev-preview --server \https://acme-v01.api.letsencrypt.org/directory certonly

Finally, I made changes to the nginx default config file, specifically to the ssl_certificate and ssl_certificate_key items to point to the new Let’s Encrypt files.

That’s it. All in, it took about five minutes and as you can see the site is fully trusted with no errors.

Let’s Encrypt goes into public beta in early December. If you want to add HTTPS to your site, I’d highly recommend using their certificates.

server {
        listen 80;
        server_name www.yourdomain.com;
        root /usr/share/nginx/html/current;
        index index.html;
        return 301 https://$server_name$request_uri;
}

server {
        listen 443;
        server_name www.yourdomain.com;
        root /usr/share/nginx/html/current;
        index index.html;

        ssl on;
        ssl_certificate /etc/letsencrypt/live/www.yourdomain.com/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/www.yourdomain.com/privkey.pem;

         # enable session resumption to improve https performance
  # http://vincent.bernat.im/en/blog/2011-ssl-session-reuse-rfc5077.html
  ssl_session_cache shared:SSL:50m;
  ssl_session_timeout 5m;

  # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
  ssl_dhparam /etc/ssl/certs/dhparam.pem;

  # enables server-side protection from BEAST attacks
  # http://blog.ivanristic.com/2013/09/is-beast-still-a-threat.html
  ssl_prefer_server_ciphers on;
  # disable SSLv3(enabled by default since nginx 0.8.19) since it's less secure then TLS http://en.wikipedia.org/wiki/Secure_Sockets_Layer#SSL_3.0
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  # ciphers chosen for forward secrecy and compatibility
  # http://blog.ivanristic.com/2013/08/configuring-apache-nginx-and-openssl-for-forward-secrecy.html
  ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA$

  # config to enable HSTS(HTTP Strict Transport Security) https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security
  # to avoid ssl stripping https://en.wikipedia.org/wiki/SSL_stripping#SSL_stripping
  add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
}