Update December 5th, 2015 Forge now supports Lets Encrypt - Taylor's tweet - this makes the below unnecessary.
What is Let's Encrypt
Let's Encrypt is a free, automated, and open certificate authority (CA), run for the public’s benefit.
If you've ever had to purchase an SSL certificate, you've found that it can be expensive. It can be difficult to generate your CSR, keys, compile a complete certificate chain, ensure your ciphers are correct and so on and so forth.
What Let's Encrypt does is make the process of getting a valid certificate configured on your server really simple.
Getting setup
The first step is to download the Let's Encrypt client onto your Forge server. Login as the forge
user, and make sure you have your sudo
password handy (it'll be in the configuration email you received when your server was setup, unless you've subsequently changed it.)
1forge@forge-server:~$ git clone https://github.com/letsencrypt/letsencrypt2forge@forge-server:~$ cd letsencrypt/3forge@forge-server:~/letsencrypt$ ./letsencrypt-auto4Bootstrapping dependencies for Debian-based OSes...
This process will perform an apt-get update
and install the necessary dependencies for the letsencrypt client to run. On a Forge-provisioned server, this step will ultimately fail the first time around as at the time of this post, the client does not yet have the ability to automatically configure nginx, which Forge-provisioned servers use by default.
1No installers seem to be present and working on your system; fix that or try running letsencrypt with the "certonly" command
From here, you'll need to do a little bit of extra manual work. The first thing you'll need to do is stop nginx. This is going to stop your sites from being served, so be mindful of the time of day you run this and who might be accessing your site.
The remainder of this process shouldn't take more than five minutes.
1forge@forge-server:~/letsencrypt$ sudo service nginx stop
Generating your certificate
Note: the --server
parameter will be provided to you in the beta acceptance email from Let's Encrypt and may vary from what is below, so be mindful if you run into issues.
1forge@forge-server:~/letsencrypt$ ./letsencrypt-auto --agree-dev-preview --server https://acme-v01.api.letsencrypt.org/directory auth --rsa-key-size 20482Updating letsencrypt and virtual environment dependencies......3Running with virtualenv: sudo /home/forge/.local/share/letsencrypt/bin/letsencrypt --agree-dev-preview --server https://acme-v01.api.letsencrypt.org/directory auth --rsa-key-size 20484[sudo] password for forge:
You'll be asked to enter an email address, which is used for urgent notices and lost key recovery. This process will only need to be completed the first time you run letsencrypt. It's best you use a suitable address like [email protected]
for such notices.
The next step will be to enter in your domain names, separated by either a comma or space. When finished, press OK
.
You'll then be given a path to the full certificate chain.
1- Congratulations! Your certificate and chain have been saved at /path/to/your/fullchain.pem. Your cert will expire on YYYY-MM-DD. To obtain a new version of the certificate in the future, simply run Let's Encrypt again.
Installing your certificate
The last step you need to complete is to install the newly generated certificate chain. You can do this via Forge, but seeing as we are already logged into our server, we'll continue here.
1forge@forge-server:~/letsencrypt$ sudo vim /etc/nginx/sites-available/yourdomain.com
The first thing you'll want to do is configure your server to listen for your domain name on port 80 (regular HTTP) and redirect requests to port 443 (HTTPS).
1server {2 listen 80;3 server_name yourdomain.com;4 return 301 https://yourdomain.com$request_uri;5}
Next, we'll configure your server to listen on port 443.
1server { 2 listen 443 ssl; 3 server_name yourdomain.com; 4 root /home/forge/yourdomain.com/current/public; 5 6 ssl_certificate /path/to/your/fullchain.pem; 7 8 # The privkey.pem file is in the same path as your fullchain.pem 9 # by default, so you should need only change 'fullchain' to 'privkey'10 ssl_certificate_key /path/to/your/privkey.pem;11 12 # The rest of your Forge configuration for an existing site will be here!13 # ...14}
If you were previously using an SSL certificate that was configured by Forge, I have found that it is ok to comment out (with a
#
at the start of the lines) the existingssl_certificate
andssl_certificate_key
lines. I'm not sure if there is a way to do this via the Forge website.
Verifying your certificate
You'll need to start nginx again:
1forge@forge-server:~/letsencrypt$ sudo service nginx start
Now check your site is working in your browser. Open up http://yourdomain.com
and make sure that it redirects to https://yourdomain.com
. You should observe that you now have the green padlock, and your certificate will be signed by Lets Encrypt Authority X1.
That's all there is to it!
Conclusion
There are lots of other things you can do to get an A rating for your SSL configuration, which I may discuss in a later post.
If you're keen to do some extra reading about SSL configuration, checkout this post on the Mozilla wiki, which talks more about appropriate ciphers and configuration for various browser support needs.
If you have any questions about getting up and running, or you have an existing Forge site with custom configuration, feel free to leave a comment or tweet me and I'll be happy to help you out.