Let's Encrypt (or not just yet)

28 Oct 2015

Well, title says everything basically. I've switched to Let's Encrypt for my HTTPS needs. Or actually curiosity and lazyness needs.

I want this

How to get this up and running on a Debian system running nginx:

$ git clone https://github.com/letsencrypt/letsencrypt.git
$ cd letsencrypt
# ./letsencrypt-auto -d blog.luukhendriks.eu auth

Then, in the menus, do:

  • Agree
  • Choose option 2, the Standalone Authenticator
  • Enter an e-mail address
  • Read the ToS, and Agree
  • Get a message that your nginx is already running on tcp/443, oops

It's still a little beta-ish

Yes, I stopped my nginx, ran the script again, and completed the installation that way. Using

# ./letsencrypt-auto auth --nginx -d blog.luukhendriks.eu

will make you realize that (at the time of writing) the nginx plugin is not yet in letsencrypt-auto.

So after the keys and certs are generated, alter your config like below, and start nginx again.

ssl_certificate             /etc/letsencrypt/live/blog.luukhendriks.eu/fullchain.pem
ssl_certificate_key         /etc/letsencrypt/live/blog.luukhendriks.eu/privkey.pem;


So, what's served now exactly?

$ openssl s_client -showcerts -connect blog.luukhendriks.eu:443

depth=1 CN = happy hacker fake CA
verify error:num=19:self signed certificate in certificate chain
Certificate chain
 0 s:/CN=blog.luukhendriks.eu
   i:/CN=happy hacker fake CA

And then you realize that it's not all live yet. Which is ofcourse clearly stated in the FAQ. Which I didn't read.

Guess I'll try again from RIPE71, as things should result in actual valid certificates by then.