Secure Your Phoenix App With Free SSL

Zek Interactive
Jun 10, 2017 · 5 min read
Image for post
Image for post

This is a follow up on the Phoenix deployment guide I recently published:

Deploy Early and Often: Deploying Phoenix with Edeliver and Distillery


After deploying your application, you’ll want to set up automated backups and SSL. TLS/SSL is the standard technology that enables encryption of data being sent between two systems. In this case, it’s between your Phoenix application and your user’s browser. There’s no need to go into the benefits of HTTPS here—if you’re reading this, I’m sure you are already convinced.

Let’s Encrypt is a Certificate Authority that “exists to help create a 100% encrypted web”, and they’re doing it by giving you free SSL. If you’ve installed SSL certificates from vendors like Comodo or Thawte, the main difference is that Let’s Encrypt certificates are only valid for 90 days while those you purchase have validity in yearly increments. The other difference is that Let’s Encrypt offers only Domain Validation (DV) certificates and not Organization Validation (OV), Extended Validation (EV), or wildcard certificates.

In this guide we will be using to obtain a free Let’s Encrypt SSL certificate and then automate the renewal process.

We won’t be going into the details of the numerous settings in our configuration. Nonetheless, it’s important to know what we’re securing against. Here’s a great article that explains what the various components mean.

Our Setup

If you’ve followed the guide, this is what we have so far:

  • Ubuntu 16.04 on DigitalOcean’s 1GB RAM plan
  • A simple Phoenix application, deployed with Edeliver and Distillery
  • DNS A Record pointing your domain to the public IP address of your server. For this guide, we’re pointing and to .
  • Nginx is serving the Phoenix app on port 80 (HTTP).

Installing Certbot

First, let’s add the newest we can find. Add the repository:

sudo add-apt-repository ppa:certbot/certbot
# press [ENTER] to continue ...

Now we can update the package list and install .

sudo apt-get update 
sudo apt-get install certbot

Getting Our First SSL Certificate

We’ll use the Webroot plugin to get our certificates. It works by creating a temporary file for each of your requested domains in . The Let’s Encrypt server then makes HTTP requests to validate that the files exist on the server that your domain resolves to. The request would look like:


Let’s add a location block to our Nginx config file that points to. Before we do that, we’ll need to create the certbot folder in our home directory.

cd ~
mkdir certbot
sudo vim /etc/nginx/sites-enabled/deploy_phoenix

Check your Nginx config for syntax errors, and if no errors are found, restart Nginx.

sudo nginx -t
sudo systemctl restart nginx

We’ll now use Webroot to request an SSL certificate, passing in as our . In order for a single cert to work with multiple domain names, be sure to include all of them (in our example we’re using and ).

sudo certbot certonly --webroot --webroot-path=/home/deploy/certbot/ -d -d

You’ll be prompted to enter your email address and agree to the terms of service. After that, you’ll see a message that the certificates have been generated and stored. Note the path and expiration date of the SSL certificate. The path should be .

Aside: You can backup your letsencrypt credentials and certs with:

sudo tar zcvf /tmp/letsencrypt_backup_$(date +’%Y-%m-%d_%H%M’).tar.gz /etc/letsencrypt

Generate a Diffie-Hellman Key

Weak Diffie-Hellman(DH) key exchange parameters could make your SSL connection vulnerable to man-in-the-middle attacks. Let’s generate strong DH parameters to increase security. This should take about 5 minutes.

sudo openssl dhparam -out /etc/letsencrypt/dhparam.pem 2048

Configuring SSL on Nginx

Now that we have our certificates and strong DH parameters, we’re ready to configure Nginx to use them.

Snippets for certificates and settings

First, let’s create a snippet for our certificate files.

sudo vim /etc/nginx/snippets/
Paste in the above. Remember to replace with your domain name.

Save and close the file. Next, we’ll create a snippet for SSL settings using the recommendations on

sudo vim /etc/nginx/snippets/ssl-params.conf
Uncommenting line 18 provides increased security but you must understand the implications.

Save and close this file too.

Updating our Nginx config file

Now we’ll edit our config file.

# Let's back up our config file first.
sudo cp /etc/nginx/sites-available/deploy_phoenix /etc/nginx/sites-available/deploy_phoenix.backup
sudo vim /etc/nginx/sites-available/deploy_phoenix

It’s a long file, but the main additions are the redirection blocks and the inclusion of our SSL snippets. Remember to replace with your own domain name.

Save the file and close it. Let’s check that we have no syntax errors in our config and snippet files.

sudo nginx -t

If there are no errors, proceed with restarting Nginx to make our changes go live.

sudo systemctl restart nginx

We need to edit our firewall to allow HTTPS traffic on port 443.

sudo ufw allow 'Nginx Full'
sudo ufw delete allow 'Nginx HTTP' # remove the redundant profile
sudo ufw status

You should see the following:

Now for the moment of truth. Did our configuration work? Let’s visit our domain in a web browser. Visiting should redirect to .

Put your website through the Qualys SSL Server Test. It should report an A+ rating.

Image for post
Image for post

You should be getting an A+ rating too if you’ve followed along. Note that I have HSTS enabled (let me know in the comments what the rating is without HSTS if you’ve left it commented out). See the comment in the ssl-params.conf snippet earlier for more details.

SSL Cert Auto Renewal

Let’s Encrypt’s certificates expire in 90 days. We’ll need to set up a cron job to renew it for us automatically.

sudo crontab -e

Paste in the following at the end of the file. You may choose a different time. will reload Nginx, but only if a renewal has occurred.

It’s a good idea to put the expiry date of the certificate into your calendar so you can check back a few days before to see if your renewals are being performed.

Updating Phoenix Production config

One last thing to do. We need to update to use the HTTPS scheme.

Increment the version number in , commit your changes and deploy your release.

git commit -a -m "edited prod.exs to add HTTPS scheme"
git push origin master
mix edeliver build release production --verbose
mix edeliver deploy release to production
mix edeliver stop production
mix edeliver start production


In this guide, we’ve used Let’s Encrypt’s Certbot to help us get SSL certificates, and we’ve set up automatic renewal. Our Phoenix application now keeps our visitors’ connections private and secure.

Happy coding!

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store