Technology and Software

Configuring nginx for letsencrypt

Letsencrypt comes with a plugin for Apache. The one for nginx is still experimental. The manual configuration is pretty easy. On the server to protect with SSL:

git clone https://github.com/letsencrypt/letsencrypt
cd letsencrypt
letsencrypt-auto certonly -a manual --rsa-key-size 4096 \
--email you@example.com -d example.com -d www.example.com

This creates a directory /etc/letsencrypt with your account data and your certificates in the live/example.com subdirectory.

Edit you nginx configuration file and add

ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

to the SSL configuration of your server. It’s important that you use fullchain.pem for the certificate, and not the cert.pem in the letsencrypt directory. Programs like curl and wget won’t work if you use cert.pem. The reason is explained in the first answer to an issue I wrongly opened to letsencrypt. A more detailed explanation is here.

Restart nginx to test your new certificate.

Remember to setup a cron job to renew the certificate before it expires in 90 days. You should also check Mozilla’s SSL Configuration Generator to improve the security of your https server.

Standard