Configure NGINX to enable SSL using Let’s Encrypt & EasyEngine

13 Dec

Let’s Encrypt recently entered public beta, issuing signed certs from a trusted CA to participating site owners without a fee. The idea of serving encrypted content over HTTPS without any cost or resorting to self-signed certificates was appealing enough that I decided to dive in and give it a try on my personal site.

I am running Ubuntu 14.0.3 LTS on a VPN hosted by vultr. I use EasyEngine to configure my software stack: NGINX, PHP, MariaDB, Redis, and WordPress.

Most of the documentation for Let’s Encrypt is written for Apache users, but there is experimental NGINX support available. However, I couldn’t find anything about EasyEngine support for Let’s Encrypt, so I decided to dig in and figure it out.

First, I  shut down nginx with “sudo nginx -s quit”

Next, I grabbed the Let’s Encrypt client from the git repository:

“git clone https://github.com/letsencrypt/letsencrypt
cd letsencrypt
./letsencrypt-auto –agree-dev-preview –server
https://acme-v01.api.letsencrypt.org/directory auth”

I then needed to edit the nginx config for my site, which EasyEngine stores in a directory unique to the site, as opposed to the single server-wide config you would see in a vanilla nginx install.

“sudo ee site edit joeyburke.com”

I then added an entry to listen on port 443 and specified the keys generated by Let’s Encrypt:

“server {

listen 443 ssl;
server_name joeyburke.com www.joeyburke.com;
ssl_certificate /etc/letsencrypt/live/joeyburke.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/joeyburke.com/privkey.pem;

…”

I also wanted to redirect standard HTTP requests from port 80 to port 443 for HTTPS, so I added another server block:

server {
listen 80;
server_name www.joeyburke.com;
return 301 https://$server_name$request_uri;
}

I then updated EasyEngine for my site with

“sudo ee site update joeyburke.com”

and finally restarted nginx.

After visiting my site and verifying the redirection was working properly and the correct certificate was being used, I then I ran my site through SSL Labs to ensure everything was configured and working correctly.

Leave a Reply

Your email address will not be published.