Saturday, December 12, 2015

Free SSL Certificate from Mozilla Let's Encrypt project

Last week Mozilla Let's Encrypt project announced the launch of its free, automated and open certificate authority. I had been waiting for this news for a long time. I quickly deployed Let's Encrypt on my staging server to learn how this technology works. The deployment process is painless and very straight forward. The certificates needs to renewed every 3 months, the Let's Encrypt client does this automatically. Thank you Jerome and Ryan for all your help!.

At the time of writing this blog post, Let's Encrypt client was not available for Ngnix server. So I am using the manual method to obtain the SSL certificate here. Please read the latest docs for additional information.


# Check out the let's encrypt source code
$ git clone https://github.com/letsencrypt/letsencrypt

# Stop the Nginx server, we need the client to bind to port 80.
$ sudo service nginx stop

# Start the let's encrypt client and follow the instructions on screen. You need to provide an email address.
$ sudo ./letsencrypt-auto --server https://acme-v01.api.letsencrypt.org/directory certonly --domains staging.example.org
IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/staging.example.org/fullchain.pem. Your
   cert will expire on 2016-01-02. To obtain a new version of the
   certificate in the future, simply run Let's Encrypt again.
 - If like Let's Encrypt, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

# Edit the Nginix config to point to generated certificates.
$ sudo nano /etc/nginx/sites-enabled/staging.example.org

 listen 443 ssl;
        server_name staging.example.org;
        ssl_certificate /etc/letsencrypt/live/staging.example.org/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/staging.example.org/privkey.pem;

# Restart the Nginx server
$ sudo service nginx start


Please don't forget to test your server using an comprehensive SSL server test such as SSLLabs.


2 comments:

  1. Does this mean I do not have to buy an SSL certificate?

    ReplyDelete

You can leave a comment here using your Google account, OpenID or as an anonymous user.

Popular Posts