Ovidiu Predescu's Weblog

SSL web site using Let's Encrypt

Yesterday I was accepted in the beta program of Let's Encrypt, and I received an email on how to obtain the server-side SSL certificates for this web site.

The setup is pretty straightforward, though you need to pay attention on how you set things up on your web server. I use nginx and this is the configuration I had to add to serve HTTPS requests:

server {
    listen 443 ssl;
    server_name example.com www.example.com;

    ssl on;

    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

    # ...

}

To authenticate your web site, the instructions tell you to place some files in a .well-known/acme-challenge directory. I placed those directly in the root directory that serves my site. Just make sure you have the proper permissions on the directories and files so the web server can serve them, and have the Content-Type set to application/jose+json. On Apache, this is how you do it:

<DirectoryMatch \.well-known/acme-challenge>
  ForceType application/jose+json
</DirectoryMatch>

For nginx add a config like this inside the server block for your site:

location /.well-known/acme-challenge {
  root /your/htdocs/directory/here;
  default_type application/jose+json;
}

The SSL certificates are valid for 90 days during the beta test period, but I expect they will extend them to a more usual 1 year once everything works smoothly.

Once you're done setting things up head over to SSL Labs and verify that your SSL web site is properly setup.

Overall a very pleasant experience, and I would say even better than what you get from other SSL certificate authorities.

To sign up for Let's Encrypt's Beta program click here.