Open in app

Sign in

Write

Sign in

Setting up free SSL certificates with LetsEncrypt

Mithilesh Said
Founding Ithaka
Published in
4 min readApr 13, 2018

Why do you need SSL certificates in the first place?

A little primer, in case you aren’t familiar with what SSL certificates are and why they are important. Imagine you go to your banking website and login with your internet banking password. Your browser sends your account details and password to the bank servers which will verify your account and grant you access.
But before the password reaches the bank servers, it needs to travel over the internet and it can go through several routing servers. There is a possibility that a hacker sniffing the data passing through one of these servers can intercept your password and use it to his advantage.

To prevent that from happening data being transmitted over the internet needs to be encrypted ie. converted from clear text to gibberish at the sender’s end and then converted back to clear text at the receiving end. This encryption is based on the beautiful concept of asymmetric cryptography, which you can read more about here. The idea is simple. There are two keys. One is called public key while the other is called private key. When you go to a website in your browser, the server sends its public key to the browser while keeping the private key with itself.

The browser encrypts data that needs to be transmitted using the public key. And this data can only be decrypted using the private key which the server has. So as long as the server does not reveal its private key, all communication between the browser and the server is secure. SSL certificates allow you to do just that. When you see https in the browser url, your communication with the server is encrypted and hence secure.

The cost of SSL certificates

All browsers are designed to work only with trusted set of SSL certificate providers. If you set up your SSL certificates incorrectly or use an untrusted certificate provider, browsers will reject those certificates and you won’t be able to access the website. As a result it is important to make sure that you get your SSL certificates from a trusted source. DigiCert, Verisign and LetsEncrypt are some of the most trusted certificate providers. While DigiCert and Verisign provide certificates for a price, LetsEncrypt is a free certificate authority initiated and supported by major tech companies.

Note: If you are operating at a scale where your servers receive several thousand requests per second or more, every byte of data in your http request headers will count. I would recommend you go for the paid certificate providers as they specialise in reducing payload sizes while maintaining the security. You’ll end up saving money on server bandwidth.

However if you are operating at low to medium scale or have a hobby project that needs SSL protection, read on about how to setup free certificates using LetsEncrypt.

The actual process of setting up

  1. Install NGINX
$ sudo apt-get update
$ sudo apt-get install nginx

2. LetsEncrypt comes with an easy to use bot that helps you install and setup the certificates

$ sudo add-apt-repository ppa:certbot/certbot
$ sudo apt-get update
$ sudo apt-get install python-certbot-nginx

3. Set up NGINX config. We’ll create a sample server block.

$ sudo vim /etc/nginx/sites-available/default... # inside the nginx config file add this
server {
    listen       80;
    server_name  www.example.com;
    return       301 https://www.example.com$request_uri;
}server {
    listen        443  ssl;
    server_name   www.example.com;    #ssl certificate config
    ssl_certificate 
         /etc/letsencrypt/live/example.com/fullchain.pem;
  
    ssl_certificate_key 
         /etc/letsencrypt/live/example.com/privkey.pem;
  
    ssl_trusted_certificate
         /etc/letsencrypt/live/example.com/chain.pem;
    location / {
        # ... all your reverse proxying info goes here ...
    }
}

The first server block in the above config tells NGINX that all traffic coming in on port 80 which is the default http port needs to be redirected to port 443 which is the default https port.

Once the traffic has been redirected to port 443, the second config block tells NGINX to use SSL certificates to decrypt incoming traffic and encrypt outgoing traffic. Filepaths tell NGINX where those certificates are stored on the server.

4. Open up port 443 on your server if it isn’t already open

$ sudo ufw allow 'Nginx Full'
$ sudo ufw delete allow 'Nginx HTTP'

5. Generate the certificates

$ sudo certbot --nginx -d www.example.com

6. Keep renewing certificates from time to time. While setting up the certificates, LetsEncrypt will ask for your email address and will send you reminder emails every time your certificates are about to expire.

$ sudo certbot renew

Setting up certificates for multiple sub-domains can be slightly challenging in the beginning. Feel free to DM me on twitter @MithileshSaid if you run into any issues while doing so.

Ssl
Lets Encrypt
Nginx
Security
Servers

--

--

Mithilesh Said
Founding Ithaka

Written by Mithilesh Said

45 Followers
Editor for

Co-founder and CTO, Ithaka

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams