Letsencrypt

It's easy!

First install the nifty checker and make some directories:

git clone https://github.com/lukas2511/dehydrated.git /opt/letsencrypt
mkdir -p /etc/ssl/letsencrypt
mkdir -p /var/www/dehydrated

This script talks to the Letsencrypt CA and temporarily drops tokens in /var/www/dehydrated for your site to host for the handshake, deleting them afterwards. So make sure the HTTP side of your site can facilitate the handshake by using a known URL alias. In Apache, you need something like:

<VirtualHost *:80>
  ServerName www.myniftysite.com
  Alias "/.well-known/acme-challenge/" "/var/www/letsencrypt/"
  RewriteEngine On
  RedirectMatch 302 ^(?!/\.well-known/acme-challenge/).* https://www.myniftysite.com$0
</VirtualHost>

Or the same thing in nginx:

server {
  listen 80;
  server_name www.myniftysite.com;
  location /.well-known/acme-challenge/ {
    alias /var/www/letsencrypt/;
  }
  location / {
    return 302 https://$host$request_uri; 
  }
}

Then run the following command. Once you've proven it works, bung it in /etc/cron.d/letsencrypt-renew to run every so often (Letsencrypt certificates expire in 3 months).

/opt/letsencrypt/dehydrated -c --domain www.myniftysite.com --challenge http-01 --out /etc/ssl/letsencrypt

Now you can enable the HTTPS side of your site with the shiny new certificates the Letsencrypt CA generated for you.

<VirtualHost *:443>
  SSLEngine On
  SSLCertificateFile /etc/ssl/letsencrypt/www.myniftysite.com/fullchain.pem
  SSLCertificateKeyFile /etc/ssl/letsencrypt/www.myniftysite.com/privkey.pem
  Header always set Strict-Transport-Security "max-age=15768000"
  SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
  SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:
                 ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:
                 ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES1
  SSLHonorCipherOrder on
  SSLCompression off

  # Ticket option and OCSP Stapling supported in Apache 2.4
  SSLSessionTickets off
  SSLUseStapling on
  SSLStaplingResponderTimeout 5
  SSLStaplingReturnResponderErrors off
  SSLStaplingCache shmcb:/var/run/ocsp(128000)
  ... 

More or less the same thing in nginx:

server {
  listen        *:443 ssl;
  server_name   cloud.jon.geek.nz;

  ssl  on;
  ssl_certificate     /etc/ssl/letsencrypt/www.myniftysite.com/fullchain.pem;
  ssl_certificate_key /etc/ssl/letsencrypt/www.myniftysite.com/privkey.pem;
  ssl_trusted_certificate /etc/ssl/letsencrypt/www.myniftysite.com/chain.pem;
  ssl_session_timeout  5m;
  ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;
  ssl_ciphers EECDH+aRSA+AES256:EDH+aRSA+AES256:EECDH+aRSA+AES128:EDH+aRSA+AES128;
  ssl_session_cache shared:SSL:50m;
  ssl_prefer_server_ciphers on;
  ssl_stapling on;
  ssl_stapling_verify on;
  add_header Strict-Transport-Security max-age=63072000;

  # For this, run this command:
  #    openssl dhparam -out /etc/ssl/letsencrypt/dhparam.pem 2048
  ssl_dhparam /etc/ssl/letsencrypt/dhparam.pem;
  ...

Set up a config file:

# Stick this in /etc/dehydrated/config
CERTDIR='/etc/ssl/letsencrypt'
CHALLENGETYPE='http-01'

Then a script somewhere in /usr/local/bin to run from a cron job:

#!/bin/bash
# Renew SSL certificates with LetsEncrypt using dehydrated.
# See: https://github.com/lukas2511/dehydrated

DEHYDRATED='/opt/letsencrypt/dehydrated'

# Save etckeeper state just in case.
if /usr/bin/etckeeper unclean; then
    /usr/bin/etckeeper pre-install
fi

for domain in                   \
        my-domain-1.com         \
        my-other-domain.com     \
        foo-bar-baz.com         \
; do
    $DEHYDRATED -c --domain $domain
    sleep 2
done

# If SSL certs renewed, update etckeeper and restart services
if /usr/bin/etckeeper unclean; then
    /usr/bin/etckeeper commit "LetsEncrypt certificates updated."
    /usr/sbin/service nginx restart
fi