Installing a free SSL certificate with Let's Encrypt

The following will teach you how to install an SSL cert on Ubuntu with Nginx.

I once had to install a SSL cert for a client and it was a royal PITA. I purchased the cert from Comodo, they emailed me the cert, I then had to figure out the cryptic way of installing it. I was using OpenShift to host the site and have since moved to DigitalOcean, and I urge you to do the same, because it's rad.

Back then I didn't know about the free SSL cert and software of Let's Encrypt. I also would have never thought that a free cert would be easy to install, but OMG it was one of the sexiest installs I've ever done. It was fast, hosted and up to date by Ubuntu's apt, and dead easy.

I followed DigitalOcean's tutorial and it worked like a charm. However, you'll want to also add a CAA DNS entry which the tutorial didn't cover but I'll show you how.

  1. Install Certbot

    Add the repository
    $ sudo add-apt-repository ppa:certbot/certbot
    Update the package list
    $ sudo apt-get update
    Install Certbot
    $ sudo apt-get install python-certbot-nginx
  2. Ensure SSL/TCP is open in the Firewall

    If you are using ufw then you'll need to open port 443.

    View ufw rules
    $ sudo ufw status

    If Nginx Full or 443 doesn't have Action status of ALLOW then you'll need to add it. (There may also be duplicate rules that have (v6) next it, that's for IP version 6).

    Add HTTPS rule
    $ sudo sudo ufw allow https
  3. Get yourself a cert

    Certbot does all the work for you. Praise open source software!

    Generate the certificate
    $ sudo certbot --nginx -d -d

    Certbot will ask you if you want all requests to be HTTPS or to also allow HTTP. Your choice, but ninja pros go with HTTPS for life.

  4. Verification

    Check out your site with HTTPS, it should work!

    Test out your site at ssllabs and see what grade you get.

    If you got a B due to Diffie-Hellman Parameters then you should update them with step 5.

  5. Update your Diffie-Hellman Parameters

    The following command will create some wizardry and will take some time. It's fun to watch the output, because crazy smart people are making stuff happen. Watch in awe, it should look something like this:


    Update Diffie-Hellman Parameters
    $ openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

    Edit your Nginx confg, it will be in /etc/nginx/sites-available/, and paste the param in the server block.

    Add the new param to your Nginx config
    $ ssl_dhparam /etc/ssl/certs/dhparam.pem;

    Make sure you didn't screw up your config by validating it.

    Verify your Nginx config
    $ sudo nginx -t

    If your config is valid then reload Nginx.

    Reload Nginx
    $ sudo service nginx reload

    Test your site again at ssllabs and you should have that highly coveted A grade.

  6. Setup auto renewal

    Add a cron job to update any cert that is going to expire in less than 30 days.

    Add a crontab
    $ sudo crontab -e

    Add the following line to the bottom of the file.

    Check if certbot needs to renew every day at 3:15am
    15 3 * * * /usr/bin/certbot renew --quiet

Your SSL cert is all setup and will auto update. Huzzah!

When you tested your cert at ssllabs did you notice DNS CAA failed?

That's because you need to add a CAA DNS record.

What is a CAA DNS entry?

It says who the cert authority is for your site.

This is a relatively new DNS record that no one took notice of until this very second. Seriously, the time this post goes live is when the CA Browser Forum will add it to their baseline requirements.

  1. Go to your DNS provider and add a CAA record.

    You can choose to do a wild card for your domain so that all subdomains will also be certified by the same authority. I would assume most sites would want this, so this is how you do it.

    Add CAA DNS record
    # Host                Authority       Tag       Flag issuewild 0

    This says that and all subdomains use as the SSL cert authority.

Update: Timeouts for HTTP

If HTTP is timing out and not redirecting like it should, it's possible port 80 is no longer open.

I'm using ufw and I had port 80 open before I used certbot and noticed that 80 was no longer defined in my firewall rules.

It may be because I chose the secure route when stepping through the certbot install and certbot may have disabled port 80, but I couldn't find anything saying that it does this.

If your site is timing out with http, run a curl command to see what's going on.

Debug with curl
curl -v