Programming, philosophy, pedaling.

Moving woodruffw.us to Let's Encrypt

May 13, 2016

Tags: meta

As of today, my personal site is finally encrypted, with a Let's Encrypt certificate:

woodruff.us's swanky new cert.

I was invited to LE's beta a little over a year ago, but had shied away from HTTPS on the (completely incorrect) assumption that it would require additional maintenance and configuration time. Seeing how my personal site is 99% static and hand-written, I didn't feel any particular need to complicate my life with another administration task.

I would see articles and posts every few weeks about how amazingly easy it LE was to set up, but chalked them off as a combination of hype and people less lazy than I am (I've been told it's a virtue).

Then, yesterday, I discovered certbot.

Certbot is basically the old letsencrypt client (actually, it's exactly the old client), except renamed and with a new PR campaign (and mascot). The project page made configuration look dead simple, so I decided to bite the bullet and try it.

In 5 minutes, I had an HTTPS-secured site with an A+ security report.

Here are the exact steps I took:

$ wget https://dl.eff.org/certbot-auto
$ chmod +x certbot-auto
$ ./certbot-auto certonly # fill out the interactive dialogs
$ sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048 # generate a strong DH group
$ sudo vim /etc/nginx/sites-enabled/default # update nginx's config
$ sudo mv ./certbot-auto /etc/letsencrypt/ # move for later scheduling
$ sudo crontab -e # schedule certificate updates
$ sudo service nginx reload # load the new ssl configuration

certbot-auto's configuration was an absolute breeze - every step was extremely explicit (and validated!) to prevent user error. The curses-style interface used was probably one of the friendlier I've ever encountered.

Editing nginx's configuration required a bit of research, but DigitalOcean had my back with a tutorial on my exact setup (substituting letsencrypt-auto for certbot-auto). I also went with their advice on generating a stronger (2048 bit) Diffie-Hellman group, which is the only additional step required for obtaining that highly-coveted A+ report. Ultimately, the configuration ended up looking like this (cruft removed):

# http
server {
    listen 80;
    server_name woodruffw.us www.woodruffw.us;

    # redirect all HTTP requests to HTTPS
    return 301 https://$host$request_uri;

# https
server {
    listen 443 ssl;

    root /usr/share/nginx/html;
    index index.html;

    # make available on localhost as well
    server_name localhost woodruffw.us www.woodruffw.us;

    ssl_certificate /etc/letsencrypt/live/woodruffw.us/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/woodruffw.us/privkey.pem;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_dhparam /etc/ssl/certs/dhparam.pem;
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:50m;
    ssl_stapling on;
    ssl_stapling_verify on;
    add_header Strict-Transport-Security max-age=15768000;

    location ~ /.well-known {
        allow all;

From there, ensuring that the certificate remains updated is a single line in the system crontab:

30 2 * * 1 /etc/letsencrypt/certbot-auto renew ; service nginx reload

One sudo service nginx reload later, and my site was fully encrypted, with unencrypted sessions seamlessly redirected.


I know I'm a bit late to the party when it comes to LE, but this is great news for the web and for pervasive encryption.

If you haven't already looked into adding a Let's Encrypt cert to your (unsecured) site, please do. It's free (as in beer and freedom), dead simple (I'm really not exaggerating about the 5 minutes), and an easy way to make your part of the web more secure.

- William