~/marc

Auto Renewing SSL Certs on NGINX with Let's Encrypt

Let's Encrypt has recently entered a public beta and I've been really excited to test it out. They're offering free SSL certs that expire every 90 days, and are extremely easy to get. Having used Comodo in the past to get certificates, I've been waiting for this day.

And it was everything I'd hoped it to be. The first cert I installed took minutes! I tried the letsencrypt-auto client at work to get a cert for one of our internal domains. But I wasn't able to find an easy way to automate the letsencrypt-auto and didn't really like the fact that it generated configuration files automagically.

If you're using Let's Encrypt, I highly recommend you donate to help further it's development!

Let's Encrypt Client

Lukcily for me, Let's Encrypt is really a set of protocols that allow a client to interface with their ACME auth server to generate certficiates automatically.

And there just so happend to be an alternative client, made by one of the core LE developers, called simp_le that better met my needs:

  1. Allow me to easily script and automate renewal
  2. Don't touch configuration files

Installing simp_le

Installing the simp_le client is easy.

Generating our first cert

Generating an SSL with Let's Encrypt and simp_le is super easy. I'm orgnaizing my certs like so:

And generating them like so:

The last last argument of the command specifies the domain and the webroot as domain:webroot. This is important because the client needs to create a file in the webroot that can be used to verify domain ownership.

Since this site is build using the Phoenix Framework and the Elixir Language, I had to tweak my nginx config a little bit to serve the /.well-known/acme-challenge file for domain control validation.

That's it! A new cert will have been generated in /var/cert/marc.cx. Next, nginx needs to be configured for ssl.

Configuring NGINX to use SSL

To do this, I used the modern configuration option on the Mozilla SSL Configuration Generator. My configuration ended up looking like this.

This is also configured to redirect any http connections to https.

Testing SSL

We should then test to make sure we're actually secure. We can use the Qualys SSL Labs SSL Tester.

SSL Grade

Everything looks good! Now to automate the renewal process!

Automating Certficate Renewal

In order to automatically renew LE SSL certs, I've written a simple wrapper for simp_le that uses a simple configuration file to allow my script to know the sites webroot.

This script can, and should, be configured using the following environment variables:

simp_le_renew wrapper for simp_le

Setting Up a Cronjob

This is the entry I have in my crontab to check and renew certs everyday at 2am:

Closing Words

And that's it! It's pretty simple to get up and running with Let's Encrypt! And being able to easily automate the renewal process with simp_le and simp_le_renew relieves the headache of remembering to renew your SSL certificates and having a potential website outage!