I’ve long fought with trying to move my meager web hosting off of HTTP and onto HTTPS servers. A big problem for me was getting certificates that would actually be accepted by default in reader’s browsers. Since the mid-2000’s, the only option I knew about that would do this for free was StartCom.

Sadly, there were still issues with this approach. StartCom required you to maintain your own private SSL key to access their web page. Given that they give you certificates that are valid for two years, I lost that private key every time. This isn’t inherently a problem, but it caused me to repeatedly go through their identification phase which, I believe, still involved a human on the other end clicking a button. This was extremely frustrating because it took something I wanted to update on a Saturday evening all weekend until I got approval.

Lately, I have been seeing lots of chatter about LetsEncrypt, a new certificate authority (CA), an organization which is trusted to distribute certificates, that was

  1. Generally accepted by all user browsers that I cared about
  2. Automatable without user-interaction on the CA side.
  3. Free

As of writing this, I’ve now completely removed all of my old self-signed and StartCom certificates that I had been using and replaced them with LetsEncrypt certificates. I’ve not only cleaned up my server, but I also have a repeatable process for the future to reduce my future efforts.

There are some pretty good instructions available on ReadTheDocs: http://letsencrypt.readthedocs.org/en/latest/index.html

My only complaint (which is very minor since the entire LetsEncrypt software is still in beta) was that I had to finagle a few things to work on Gentoo and with Nginx as my webserver.

I was actually shocked that when first running the letsencrypt-auto tool, it tried to install some necessary packages. Sadly, my installation was a little busted so I had to go through and get these packages installed by hand. After that was done, the tool moved past this step without any extra input from me. I was very pleased.

The Nginx support provided with the letsencrypt-auto tool is still experimental as of writing this, so I had to opt for the Manual plugin instead. This wasn’t terrible either since I’m guessing the way I layout vhosts on disk isn’t going to be considered standard (although I think it is was Gentoo recommends).

For others who might be considering switching, here’s a general outline of my steps:

Workflow

  1. Create a new configuration file with a server running on port 80 without SSL.

    vim /etc/nginx/vhosts/letsencrypt.conf

    This is a bare-bones server (`listen`, `server_name`, and `root` directives). I want to keep these in a separate configuration file because I can easily turn off these servers after I get my new certificates.

  2. Run the `letsencrypt` tool

    ./letsencrypt-auto certonly --manual -d penguinsinabox.com

    This command will provide some instructions as a part of the automation, ultimately instructing you to create a specific file with specific contents under the given domain.

  3. Update the Nginx configuration (first-time only)

    I just need to make sure that my servers are using the appropriate letsencrypt cert and key. This is something that I only need to do once as the `letsencrypt-auto` tool maintains a nice directory structure with symlinks that always point to the newest certs/keys.

  4. Turn off the old servers and restart nginx

    mv /etc/nginx/vhosts/letsencrypt.conf /etc/nginx/vhosts/letsencrypt.conf.off && /etc/init.d/nginx reload

    I can then turn off the servers in one fatal swoop, and reload Nginx to pick up the new certs.

Summary

Quite possibly the best part about the above workflow is that it’s exactly the same steps for certificates for a new domain as it is for certificate renewals! I now have one set of steps to run, regardless of what I’m doing. This is awesome.

My biggest hope is that as the software increases in maturity, my list of 4 steps will become invalidated and I can fully automate the entire process via crontab. Maybe if I take a hiatus from the rest of life/work, I’ll help them myself!