Skip to content

Let’s Encrypt has landed

This is a small walk through for setting up the Let’s Encrypt certificate up on your FreeBSD webserver with NGINX which previously has been using a self-signed certificate.

Disclaimer: This article are solely for my own use. Following it can cause fire, childrens death and green swallowing marshmellows. Read it all before trying anything of the suggested actions and use your head. Don't sue me. ;-)

Background for Let’s Encrypt

Using SSL and TLS certificates has been made rather complex and sometimes expensive task. Many CA’s (Certification Authority) has tried to make an open source version of a CA. But they all failed, after some time the certificates stops being accepted as valid out in the world. Which leads back to just making a self-signed certificate to encrypt your connection between the server and you.

The issue has been that you need to prove the ownership of your domain name to the CA, which then grants you an certificate to prove everybody else in the world that you are who you are, and not a scumbag malware infested guy who wants all the IT power in the world.

Let’s Encrypt has supposedly solved this issue by having you run a script on your server, opening up a small web socket on port 80 out to the Let’s Encrypt server which then proves that you own this server and the domain name is one you manage. The Let’s Encrypt client “letsencrypt” handles all the communication to the CA and makes a folder where it stores all your certificates. As far as I can see you need to make a certificate for each domain and subdomain, but that really isn’t any hassle.

Often, as in my situation, you already has a webserver running somekind of secure connection with self-signed certificate

In my case I have been using a config structure where there is a global NGINX config file, which holds all the configurations for all the sites I have. Inside that I make includes for all the site specific configurations. Those are the ones we need to alter for this to work.

The config file should have a similar section like this to call the self-signed certificate:

<code>server {
</code><code><span class="Apple-converted-space">  </span>listen 443 ssl;
</code><code><span class="Apple-converted-space">  </span>server_name;
</code><code><span class="Apple-converted-space">  </span>ssl_ciphers 'ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128$
</code><code><span class="Apple-converted-space">  </span>ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
</code><code><span class="Apple-converted-space">  </span>ssl_certificate /usr/local/etc/nginx/ca-bundle.pem;
</code><code><span class="Apple-converted-space">  </span>ssl_certificate_key /usr/local/etc/nginx/ssl-DOMAIN.pem;
</code><code><span class="Apple-converted-space">  </span>ssl_prefer_server_ciphers on;
</code><code><span class="Apple-converted-space">  </span>ssl_session_cache<span class="Apple-converted-space">  </span>builtin:1000<span class="Apple-converted-space">  </span>shared:SSL:10m;
</code><code><span class="Apple-converted-space">  </span>ssl_dhparam /usr/local/etc/ssl/certs/dhparam.pem;</code>

So first make your move to actually get the Let’s Encrypt client

Update your portstree, in my case a simple portsnap update wasn’t enough so I had to do:

<code>$ portsnap fetch extract</code>

This takes a while. I can recommend using tmux to prevent it to fail if you loose connection to your server if you are managing it over the network. When it has finished go to

<code>$ cd /usr/ports/security/py-letsencrypt/
$ make install clean</code>

Again in my case I got an conflict where a library was the wrong version. So the portssystem suggested to me that I run

<code>$ make deinstall</code>
<code>$ make reinstall</code>

This took a long time, hence the recommendation of using tmux. 🙂

Now everything should have installed nicely.
Let’s Encrypt requires to have port 80 open to communicate, so stop your NGINX server running  on port 80.

<code>$ service nginx stop</code>

Request the certificate by running the client either as sudo or as root.

<code>$ sudo letsencrypt -d YOURDOMAIN.COM certonly</code>

Replace YOURDOMAIN.COM with your FQDN

not which isn’t a FQDN

You will get a screen asking for your email adress, which will be used for urgent notices and lost key recovery.

Screen Shot 2015-12-16 at 15.19.37

Agree to the terms of using Let’s Encrypt

Screen Shot 2015-12-16 at 15.20.01

You will now get a confirmation of success and info of where your certificate files are located.

<code>IMPORTANT NOTES:</code>
<code> - If you lose your account credentials, you can recover through</code>
<code> e-mails sent to</code>
<code> - Congratulations! Your certificate and chain have been saved at</code>
<code><strong> /usr/local/etc/letsencrypt/live/</strong></code><code><strong>YOUR-DOMAINNAME.COM</strong></code><code><strong>/fullchain.pem</strong>. 
Your</code> <code> cert will expire on 2018-01-23. 
To obtain a new version of the</code> <code> certificate in the future, simply run Let's Encrypt again.</code> <code> - 
Your account credentials have been saved in your Let's Encrypt</code> <code> configuration directory at /usr/local/etc/letsencrypt. 
You should</code> <code> make a secure backup of this folder now. 
This configuration</code> <code> directory will also contain certificates and private keys obtained</code> <code> 
by Let's Encrypt so making regular backups of this folder is ideal.</code> <code> - 
If like Let's Encrypt, please consider supporting our work by: </code><code> 
Donating to ISRG / Let's Encrypt:</code> <code> 
Donating to EFF:</code>

Go to your NGINX site config file again. Make sure you copy it just in case.

<code>$ cp nginx-site-configfile.conf nginx-site-configfile.conf.old</code>

Edit your config file with your preferred editor, in my case Nano.


server {
<span class="Apple-converted-space">  </span>listen 443 ssl;
<span class="Apple-converted-space">  </span>server_name;
<span class="Apple-converted-space">  </span>ssl_ciphers 'ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128$
<span class="Apple-converted-space">  </span>ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
<span class="Apple-converted-space">  </span>ssl_certificate <strong>/usr/local/etc/letsencrypt/live/YOUR-DOMAINNAME.COM/fullchain.pem</strong>;
<span class="Apple-converted-space">  </span>ssl_certificate_key <strong>/usr/local/etc/letsencrypt/live/</strong></code><code><strong>YOUR-DOMAINNAME.COM</strong></code><code><strong>/privkey.pem</strong>; <span class="Apple-converted-space">  
</span>  ssl_prefer_server_ciphers on; <span class="Apple-converted-space">  
</span>  ssl_session_cache<span class="Apple-converted-space">  </span>builtin:1000<span class="Apple-converted-space">  </span>shared:SSL:10m; <span class="Apple-converted-space">  
</span>  ssl_dhparam /usr/local/etc/ssl/certs/dhparam.pem;
  add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";</code>

Start you NGINX service again and browse to your site to check that the certificate are correct.

<code>$ service nginx start</code>

And you should have a CA authorized TLS certificate on your site.

To check your site on how it performs on the security. Test it with something like
 got an A+ on my site with these settings.

Screen Shot 2015-12-30 at 10.59.42

Hope you enjoyed the article. 🙂

Link to others having guides and walk-throughs on Let’s Engrypt:

Let’s Encrypt – Gratis SSL certifikater

Published inBSDServer Services

One Comment

Leave a Reply

Your email address will not be published. Required fields are marked *