App developer

Let's Encrypt

When I was setting up this version of my website back in June, I decided that it needed to support HTTPS. I purchased a Thawte SSL 123 certificate through Namecheap, completed the certificate signing request formalities, uploaded the files to my server, and then configured nginx to serve the website through HTTPS (my config file is at the bottom of this post).

Around a month ago, I was alerted to Let’s Encrypt. In their own words, Let’s Encrypt is a free, automated, and open Certificate Authority. The fact that it was free was good, but what caught my eye was that it was automated. I immediately signed up to the limited beta and began testing. Below are the steps that I followed:

Logged on to my server, then:

git clone
cd letsencrypt
./letsencrypt-auto --agree-dev-preview --server \ certonly

Finally, I made changes to the nginx default config file, specifically to the ssl_certificate and ssl_certificate_key items to point to the new Let’s Encrypt files.

That’s it. All in, it took about five minutes and as you can see the site is fully trusted with no errors.

Let’s Encrypt goes into public beta in early December. If you want to add HTTPS to your site, I’d highly recommend using their certificates.

server {
        listen 80;
        root /usr/share/nginx/html/current;
        index index.html;
        return 301 https://$server_name$request_uri;

server {
        listen 443;
        root /usr/share/nginx/html/current;
        index index.html;

        ssl on;
        ssl_certificate /etc/letsencrypt/live/;
        ssl_certificate_key /etc/letsencrypt/live/;

         # enable session resumption to improve https performance
  ssl_session_cache shared:SSL:50m;
  ssl_session_timeout 5m;

  # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
  ssl_dhparam /etc/ssl/certs/dhparam.pem;

  # enables server-side protection from BEAST attacks
  ssl_prefer_server_ciphers on;
  # disable SSLv3(enabled by default since nginx 0.8.19) since it's less secure then TLS
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  # ciphers chosen for forward secrecy and compatibility

  # config to enable HSTS(HTTP Strict Transport Security)
  # to avoid ssl stripping
  add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";