Last month I wrote about Let’s Encrypt and signed up to participate in their closed beta program. Earlier this month I received my beta invite and I had the opportunity to request and install a new temporary certificate for this blog. I have to say the whole process was extremely easy and took very little time. Setup would have been even faster but the NGINX plugin support was in “experimental” status so I opted to update my NGINX configuration manually. Here are the steps I went through.
First I installed Git:
git clone https://github.com/letsencrypt/letsencrypt
cd letsencrypt
Next I ran the Let’s Encrypt setup script:
./letsencrypt-auto --agree-dev-preview --server https://acme-v01.api.letsencrypt.org/directory certonly
Once the client fired up I agreed to terms:
Entered an email address for key recovery:
I typed in the domain names I needed certificates for:
Since my web server was running when I first started the client, it couldn’t bind to port 80 it gave me an error message. I quickly shut down NGINX, ran the client and input my information again.
The setup script is able to retrieve my certificate(s) but at this point it is not able to change my web server configuration. Before going forward remember to backup your private keys. The new certificates are saved in /etc/letsencrypt/keys but it is recommended to always point your configuration files to the symlinks located in /etc/letsencrypt/live. I quickly comment out my prior SSL certificate in /etc/nginx/sites-available/default and added:
ssl_certificate /etc/letsencrypt/live/jasonamorrow.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/jasonamorrow.com/privkey.pem;
NGINX started back up without any errors and I was just about all set. A quick configuration change to WordPress so the whole site would require HTTPS and I was good to go.
These temporary certificates will expire in 90 days so I’ll need to remember to renew them by re-running letsencrypt-auto. It looks like I also have the option to setup a cron job to automate this renewal as well.
If you need more help please check out the Let’s Encrypt community at: https://community.letsencrypt.org/
For known issues in the Python client see: https://github.com/letsencrypt/letsencrypt/issues/
I definitely recommend Let’s Encrypt. Public beta is set to begin on December 3, 2015 and I’m confident that most of the kinks will be worked out before general availability.
Encrypt all the things!!
