LetsEncrypt NGiNX Quick Start


NGiNX support for the Lets Encrypt letsencrypt-auto tool is not yet stable, here are some instrucions on how to get up and running with LetsEncrypt when using NGiNX.

NGiNX Static Content Server

Start a web server with a config like:

server {
    listen      80;
    server_name www.dust.cx dust.cx;
    location / { root /var/www/dust.cx; autoindex on; }
}

Certificate Request

Request certificate:

git clone https://github.com/letsencrypt/letsencrypt ~/git/letsencrypt 
~/git/letsencrypt/letsencrypt-auto certonly --webroot -w /var/www/dust.cx -d dust.cx -d www.dust.cx

NGiNX Config

Update NGiNX config to redirect all HTTP traffic to HTTPS, and specify cert file paths:

server {
    listen      80;
    server_name www.dust.cx dust.cx;
    rewrite     ^https://$server_name$request_uri? permanent;
}

server {
    listen 443;
    server_name www.dust.cx dust.cx;

    ssl on;
    ssl_certificate /etc/letsencrypt/live/dust.cx/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/dust.cx/privkey.pem;

    ssl_stapling on;
    ssl_stapling_verify on;
    add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";

    location / { root /var/www/dust.cx; autoindex on; }
}

Reload NGiNX:

service nginx reload

Test

$ echo -n | openssl s_client -connect dust.cx:443
CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X1
verify return:1
depth=0 CN = dust.cx
verify return:1
---
Certificate chain
 0 s:/CN=dust.cx
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X1
 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X1
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIE/zCCA+egAwIBAgISAdtFUuyTk5UZoVzFVVnVT25zMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMTAeFw0xNTEyMDYxMTQ0MDBaFw0x
NjAzMDUxMTQ0MDBaMBIxEDAOBgNVBAMTB2R1c3QuY3gwggEiMA0GCSqGSIb3DQEB
AQUAA4IBDwAwggEKAoIBAQDG+5xpMLdKinooEM4+ocZgtYAa+GaKc/RhbhuZLAh6
xYHy1/vLutqBlifuv6qXAtAYrM/xk3+zW7KrCXv3iz7ZYKh5mMKPV5hn+M8fIfqo
NHg9t75BlgeP6M/EG4td+hXWS9jYFJ7o82SIDX8zhDlEs/g3bQIE/+DuYWSC5WYu
PbJ1kUkOfGs7HQPwTPt7d2QafiEoy0sszgfPPPsYiEuOddgtsrKE+F9LuDdbT+Ze
V3TVK6nzdw7Km+i68xBTFk7m9+3guYBAf1yB4yROxNNOReBahqh3aFMjo4zZ3cYj
/U+MpOExTbT7ECO/mXkhCBzjK2I/k2bGqOhWcBOATvNlAgMBAAGjggIVMIICETAO
BgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwG
A1UdEwEB/wQCMAAwHQYDVR0OBBYEFG7T/aH/BX76cSQou6icQD/fs5ZxMB8GA1Ud
IwQYMBaAFKhKamMEfd265tE5t6ZFZe/zqOyhMHAGCCsGAQUFBwEBBGQwYjAvBggr
BgEFBQcwAYYjaHR0cDovL29jc3AuaW50LXgxLmxldHNlbmNyeXB0Lm9yZy8wLwYI
KwYBBQUHMAKGI2h0dHA6Ly9jZXJ0LmludC14MS5sZXRzZW5jcnlwdC5vcmcvMB8G
A1UdEQQYMBaCB2R1c3QuY3iCC3d3dy5kdXN0LmN4MIH+BgNVHSAEgfYwgfMwCAYG
Z4EMAQIBMIHmBgsrBgEEAYLfEwEBATCB1jAmBggrBgEFBQcCARYaaHR0cDovL2Nw
cy5sZXRzZW5jcnlwdC5vcmcwgasGCCsGAQUFBwICMIGeDIGbVGhpcyBDZXJ0aWZp
Y2F0ZSBtYXkgb25seSBiZSByZWxpZWQgdXBvbiBieSBSZWx5aW5nIFBhcnRpZXMg
YW5kIG9ubHkgaW4gYWNjb3JkYW5jZSB3aXRoIHRoZSBDZXJ0aWZpY2F0ZSBQb2xp
Y3kgZm91bmQgYXQgaHR0cHM6Ly9sZXRzZW5jcnlwdC5vcmcvcmVwb3NpdG9yeS8w
DQYJKoZIhvcNAQELBQADggEBADRzDUqJGXwVCAZTch9C3pLVbahmJ3vu3Iz1niXo
eMWceM3hEMUXtDAWIJbnmbDG9X37MI58+L9mHmD593cE7b7y1u0PtRta0X3QMYzd
CemUZD5RkII3KZuz1CYbccbdE/oL8xkAXwNxlNS6qHkdoS0xPRm3COX5DDJgIR0t
OjOthLu/XXPkdm7sA3mtxdhGGvAbNKvBNZiHOBdYR2IkxaIl6ONl5vpa/0pPAJ0p
u0I86Fpu3EwVH5dsK+jk3EXn/Zhv15EDc6mwJ0GSRGYtn83+SM3kAILmkcLxhflx
XZYHrONeYLkPhDUJGnCxObPHbSVauVvdUgW1HnfAdph1+dE=
-----END CERTIFICATE-----
subject=/CN=dust.cx
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X1
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 3157 bytes and written 441 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: CAB0B56296FF95BA74ADC40876E78EBAA4B3949FDFC145B0DFCDAB3A5C69B588
    Session-ID-ctx: 
    Master-Key: D04421C7E3BDE901845C4F418601B8118A7F7CAACA1C18B1CC8E0F02687DDFB5AF39A7ED213294C833BBC9BFE850C1A8
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 9e d2 78 c0 fd e2 03 e9-c6 ec 39 ad 55 3a 14 df   ..x.......9.U:..
    0010 - 2c 93 0a c4 13 30 af 73-9c 64 04 9d 18 e8 c1 21   ,....0.s.d.....!
    0020 - de 48 31 c9 02 53 17 38-2a a5 b4 04 4f 68 38 e9   .H1..S.8*...Oh8.
    0030 - 08 45 ec b4 ec 45 38 a5-7b 5d d9 d8 e8 40 02 f2   .E...E8.{]...@..
    0040 - 1b 39 92 b5 08 bc e0 f0-2a 81 a6 85 66 76 20 86   .9......*...fv .
    0050 - 80 52 5c 58 90 21 da 3f-e9 9c d0 81 d1 f6 ba dc   .R\X.!.?........
    0060 - 8e 4f 11 b3 d2 51 ed 0f-ff 6d f6 06 00 d6 ec 6e   .O...Q...m.....n
    0070 - 00 b5 9d ec b9 7d b0 5f-1c 3c b2 fa 6c 1d 89 c5   .....}._.<..l...
    0080 - 84 3d 69 98 28 de df c1-24 23 cf c3 fd c4 81 90   .=i.(...$#......
    0090 - c7 16 b2 ed 8d f7 49 32-37 32 04 9b 42 e1 08 3f   ......I272..B..?
    00a0 - e5 43 f8 4d 55 23 e2 19-b4 ad f2 80 c4 9d 12 b9   .C.MU#..........

    Start Time: 1449413126
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
DONE