Letsencrypt
From Jon's Wiki
It's easy!
Install the things
First install the nifty checker and make some directories:
git clone https://github.com/lukas2511/dehydrated.git /opt/letsencrypt mkdir -p /etc/ssl/letsencrypt mkdir -p /var/www/dehydrated
Set up the site's handshake
This script talks to the Letsencrypt CA and temporarily drops tokens in /var/www/dehydrated for your site to host for the handshake, deleting them afterwards. So make sure the HTTP side of your site can facilitate the handshake by using a known URL alias. In Apache, you need something like:
<VirtualHost *:80> ServerName www.myniftysite.com Alias "/.well-known/acme-challenge/" "/var/www/letsencrypt/" RewriteEngine On RedirectMatch 302 ^(?!/\.well-known/acme-challenge/).* https://www.myniftysite.com$0 </VirtualHost>
Or the same thing in nginx:
server { listen 80; server_name www.myniftysite.com; location /.well-known/acme-challenge/ { alias /var/www/letsencrypt/; } location / { return 302 https://$host$request_uri; } }
Fetch your certificates
Then run the following command. Once you've proven it works, bung it in /etc/cron.d/letsencrypt-renew to run every so often (Letsencrypt certificates expire in 3 months).
/opt/letsencrypt/dehydrated -c --domain www.myniftysite.com --challenge http-01 --out /etc/ssl/letsencrypt
Set up your HTTPS site
Now you can enable the HTTPS side of your site with the shiny new certificates the Letsencrypt CA generated for you.
<VirtualHost *:443> SSLEngine On SSLCertificateFile /etc/ssl/letsencrypt/www.myniftysite.com/fullchain.pem SSLCertificateKeyFile /etc/ssl/letsencrypt/www.myniftysite.com/privkey.pem Header always set Strict-Transport-Security "max-age=15768000" SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384: ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305: ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES1 SSLHonorCipherOrder on SSLCompression off # Ticket option and OCSP Stapling supported in Apache 2.4 SSLSessionTickets off SSLUseStapling on SSLStaplingResponderTimeout 5 SSLStaplingReturnResponderErrors off SSLStaplingCache shmcb:/var/run/ocsp(128000) ...
More or less the same thing in nginx:
server { listen *:443 ssl; server_name cloud.jon.geek.nz; ssl on; ssl_certificate /etc/ssl/letsencrypt/www.myniftysite.com/fullchain.pem; ssl_certificate_key /etc/ssl/letsencrypt/www.myniftysite.com/privkey.pem; ssl_trusted_certificate /etc/ssl/letsencrypt/www.myniftysite.com/chain.pem; ssl_session_timeout 5m; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers EECDH+aRSA+AES256:EDH+aRSA+AES256:EECDH+aRSA+AES128:EDH+aRSA+AES128; ssl_session_cache shared:SSL:50m; ssl_prefer_server_ciphers on; ssl_stapling on; ssl_stapling_verify on; add_header Strict-Transport-Security max-age=63072000; # For this, run this command: # openssl dhparam -out /etc/ssl/letsencrypt/dhparam.pem 2048 ssl_dhparam /etc/ssl/letsencrypt/dhparam.pem; ...
Run a script from cron
#!/bin/bash # Renew SSL certificates with LetsEncrypt using dehydrated. # See: https://github.com/lukas2511/dehydrated DEHYDRATED='/opt/letsencrypt/dehydrated' # Save etckeeper state just in case. if /usr/bin/etckeeper unclean; then /usr/bin/etckeeper pre-install fi for domain in \ my-domain-1.com \ my-other-domain.com \ foo-bar-baz.com \ ; do $DEHYDRATED -c --domain $domain sleep 2 done # If SSL certs renewed, update etckeeper and restart services if /usr/bin/etckeeper unclean; then /usr/bin/etckeeper commit "LetsEncrypt certificates updated." /usr/sbin/service nginx restart fi