Minute
Butterfly

True HTTPS for everyone, at last
12 Dec 2015

HTTPS is now both free and extremely easy to setup for website owners, thanks to the efforts of the Let's Encrypt initiative. SSL certificates used to cost $100+/year and were a pain to install on a webserver. From the moment I learned that Let's Encrypt's public beta was open, it took me less than 10 minutes to replace my crappy self-signed SSL certificate by a certificate recognized by a legitimate SSL authority. Yes, it's that easy.

I don't like to post step-by-step tutorials on this website, but I believe the sheer simplicity of the install is a real game changer. See for yourself.

(the following instructions are for a website served by Nginx on Ubuntu.)

1) Generate a certificate

Fetch let's encrypt:

# Instructions at https://github.com/letsencrypt/letsencrypt/
git clone https://github.com/letsencrypt/letsencrypt && cd letsencrypt

Write a tiny renew.sh bash script for generating the mydomain.com certificate:

#! /bin/bash
service nginx stop
/path/to/letsencrypt/letsencrypt-auto certonly --standalone -d mydomain.com --renew-by-default
service nginx start

Generate your first ever legit SSL certificate (yay!):

./renew.sh

Automate the certificate renewal:

$ sudo crontab -e
m  h  dom mon dow   command
0  0   *   *  1     /path/to/letsencrypt/renew.sh

2) Configure Nginx

Configure an Nginx site in /etc/nginx/sites-enabled/mydomain:

server {
    # Redirect http calls to https
    listen 80;
    server_name mydomain.com;
    return 301 https://$server_name$request_uri;
}

server {
  listen 443 ssl;
  server_name mydomain.com;

  ssl_certificate /etc/letsencrypt/live/mydomain.com/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/mydomain.com/privkey.pem;
  
  location / {
    # The rest of your configuration goes here
    ...
  }
}

3) Bonus settings

The Nginx settings require some tuning to obtain an A grade on the SSL test:

http {
    ...

    ssl_prefer_server_ciphers on;

    # Enable perfect forward secrecy and disable RC4 (https://community.qualys.com/blogs/securitylabs/2013/03/19/rc4-in-tls-is-broken-now-what)
    ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4";

    # Disable SSLv3 because of POODLE vulnerability: http://disablessl3.com/
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

    # Use custom Diffie-Hellman group for a strong key exchange: https://weakdh.org/sysadmin.html
    # Key was generated via "openssl dhparam -out /etc/nginx/dhparams.pem 2048"
    ssl_dhparam /etc/nginx/dhparams.pem;
}

For instance, the SSL report for my mail webclient domain can be found here.