Setup LetsEncrypt On Linux

LetsEncrypt is a certificate authority with an automated client. In short, this means that you can secure your websites at no cost. That’s right, you can go from http://yourdomain.com to https://yourdomain.com for free. Note though, it’s at the discretion of LetsEncrypt to issue you a certificate.

Getting started

You will need git installed on your Linux distro.

Ubuntu, Debian

sudo apt-get update
sudo apt-get install git-all

RedHat, CentOS

sudo yum update
sudo yum install git-all

Installation

Now that git is installed on your system, you can clone the LetsEncrypt repo.

mkdir ~/src
cd ~/src
git clone https://github.com/letsencrypt/letsencrypt
cd letsencrypt
sudo chmod g+x letsencrypt-auto
./letsencrypt-auto

Give it a little bit of time to update, install any missing dependencies as needed.

Using LetsEncrypt

Once Let’s Encrypt has finished installing, you can issue certificates in a snap.

For Apache2

Stop the apache2 service.

Then, run LetsEncrypt:

./letsencrypt-auto --apache --email=YOUREMAIL@YOURDOMAIN.COM -d YOURDOMAIN.COM -d SUB.YOURDOMAIN.COM -d ANYDOMAIN.YOUWANT.NET

This command calls LetsEncrypt, telling it that we are using Apache so that it can automate the install process. It notifies LetsEncrypt of our email address, and tells them the domains for which we would like certificates. You can use any domain you want after the -d flag because that tells LetsEncrypt “this person wants a cert for this domain”. LetsEncrypt will automate this whole process and add the proper lines of code to the config file for your domain.

For Nginx

LetsEncrypt for Nginx is very experimental. Use it at your own risk (make a backup your configuration first).

./letsencrypt-auto certonly --email=YOUREMAIL@YOURDOMAIN.COM -d YOURDOMAIN.COM -d SUB.YOURDOMAIN.COM 

This will generate a certificate in the following directory /etc/letsencrypt/live/YOURDOMAIN.COM.

To get the traffic switched over to using SSL, you will need to edit your Nginx site config file. For example:

sudo nano /etc/nginx/sites-enabled/default

In the config file, make sure that the server is listening on port 443 and that the SSL certificate locations are properly defined. Your config file should resemble the following:

server {
    listen 443;
    server_name yourdomain.com sub.yourdomain.com;

    root /usr/share/nginx/www;
    index index.html index.htm;

    ssl on;
    ssl_certificate /etc/letsencrypt/live/yourdomain.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/yourdomain.com/privkey.pem; 
}

Save the file, restart Nginx, and you’ll be ready to go!

Enjoy your new secure website!