Using certificates from Let’s Encrypt with nginx

Let’s Encrypt is a new Certificate Authority which signs certificates for free. Their intelligent software takes the hassle out of the whole process. There are no OpenSSL commands to run nor Certificate Signing Requests to upload. Just run a command, enter in your e-mail address and domain names, and a short time later your signed SSL certificates are ready.

Getting the software and creating the certificates is easy:

apt-get install git
git clone https://github.com/letsencrypt/letsencrypt
cd letsencrypt
./letsencrypt-auto certonly

For added security, you’ll want to generate your own Diffie-Hellman parameter (note this command may take a long time to complete):

openssl dhparam -out /etc/ssl/certs/dhparam.pem 4096

Configure nginx with HTTPS support and tell it to use the new certificate by adding this snippet to your existing configuration (replace example.com with your domain):

  listen 443 ssl;
  listen [::]:443 ssl;

  ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

  ssl_dhparam /etc/ssl/certs/dhparam.pem;

  add_header Strict-Transport-Security "max-age=15552000; includeSubDomains; preload";

  if ( $scheme != https ) {
    return 301 https://www.example.com$request_uri;
  }

For additional security, the example above includes Strict Transport Security and a redirect to force users to use a secure connection when accessing your website.

Once the configuration file is saved, restart nginx:

service nginx restart

You can test your configuration with the SSL Server Test at SSL Labs.