rmed.blog

Let's Encrypt public beta

06 Dec 2015

Now that Let's Encrypt is in public beta, I thought I'd revisit my previous post with some additional details.

Updating

First, I'm going to update the tools that I installed when I first set this up (in my local machine). The lets-encrypt tool pretty much performs the necessary changes automatically, so I'll be using that:

cd /opt
git clone https://github.com/letsencrypt/letsencrypt && cd ./letsencrypt
./letsencrypt-auto

The tool updates the virtual environment and dependencies that were installed the first time (it may ask for superuser password for obtaining packages from your distro's repositories).

First change I noticed was that the tool now includes Plugins/Installers for obtaining and installing certificates. However, I'm on my local machine, so I get the message:

No installers seem to be present and working on your system; fix that or try running letsencrypt with the "certonly" command

Obtain certificates!

For the time being, I will obtain the certificates locally and then install them manually in my server. In order to do this, I have to use the manual method.

Time to obtain certificates! This time, I will be generating a certificate for www.rmedgar.com, rmedgar.com and archive.rmedgar.com. Instead of going through the "visual" wizard, I'm simply going to run the following command:

./letsencrypt-auto certonly --manual --email MY_EMAIL -d rmedgar.com -d www.rmedgar.com -d archive.rmedgar.com

As I already have a certificate for rmedgar.com and www.rmedgar.com created, I'm shown the following message:

You have an existing certificate that contains a portion of the
domains you requested (ref:
/etc/letsencrypt/renewal/rmedgar.com)

It cointains these names: rmedgar.com, www.rmedgar.com

You requested these names for the new certificate: rmedgar.com,
www.rmedgar.com, archive.rmedgar.com.

Do you want to replace this existing certificate with the new
certificate?

Sure, why not? Hit Replace and the following message pops up:

NOTE: The IP of this machine will be publicly logged as having
requested this certificate. If you're running letsencrypt in manual
mode on a machine that is not your server, please ensure you're okay
with that.

Are you OK with your IP being logged?

Now this is interesting. I guess some people would mind the above, but I'm performing these steps through the network of my University, so I'll just continue.

After hitting OK, the well known message for verification of ownership is shown. I'm too lazy now to deal with nginx, so I'll just stop it, execute the commands I'm given and relaunch it.

- Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/rmedgar.com/fullchain.pem. Your cert will
   expire on 2016-03-03. To obtain a new version of the certificate in
   the future, simply run Let's Encrypt again.

Installing in the server

I will be copying the fullchain.pem and privkey.pem files to the server, just as before:

cp fullchain.pem /etc/ssl/rmedgar_com.pem
cp privkey.pem /etc/ssl/rmedgar_com.key

Now, nginx stuff. I now have more than one subdomain with SSL, so I'll just create the file /etc/nginx/sites-available/force-ssl with the following content:

#Force HTTPS
server {
    listen 80;
    # All subdomains
    server_name rmedgar.com www.rmedgar.com;

    return 301 https://$host$request_uri$is_args$args;
}

Run # ln -s /etc/nginx/sites-available/force-ssl /etc/nginx/sites-enabled/force-ssl And add the SSL-specific details to each site:

server {
    listen 443 ssl;

    ssl on;
    ssl_certificate /etc/ssl/rmedgar_com.pem;
    ssl_certificate_key /etc/ssl/rmedgar_com.key;

    ...
}

Aaaand done! SSL everywhere! The only remaining thing is to find out how to automate the generation and installation of the certificates (maybe Zoe could be able to do it?).

Tags: let's encrypt ssl security certificate nginx

rmed

My name is Rafael Medina, and I like code.

More about me.